Security & compliance

How we protect your data, our current posture, and what we are working toward.

Privacy-first by design

Your source code never leaves your machine. The CLI runs locally and, only if you choose to activate a license, sends aggregated numbers (scores, counts, ratios) to the hub. We never read, parse, or store your source code on our servers.

Read the full data policy →

Current compliance posture

GDPR — Fully compliant. Data processing aligned with Regulation (EU) 2016/679.
EU data residency — Primary infrastructure hosted in the European Union (Hetzner, Germany).
TLS 1.3 everywhere — All connections to the hub use modern TLS with HSTS.
Magic-link authentication — No passwords stored. Short-lived signed links only.
No AI training on your data — Aggregated metrics sent for narrative generation are never used to train models.

Formal certifications

DebtLens is run by a small team. We do not currently hold SOC 2, ISO 27001 or HIPAA certifications and have no fixed timeline to pursue them — audits of that kind are significant investments that would be driven by concrete customer demand.

If your procurement process needs one of these certifications before you can sign, tell us. Enough demand moves it onto the roadmap; we'll tell you either way.

Security contact

Found something that looks like a vulnerability? We respond within 48 hours.

Email: security@debtlens.tech
PGP: Available on request.
Scope: debtlens.tech, debtlens.app, and the CLI binaries.