As hardcore engineers with pedigrees from finance, government and companies like Cloudera, working with sensitive data & security-conscious environments is part of our lifeblood. We pride ourselves in taking extra care when working with code access.

Application, Quality & Code Security

  • Code is pulled and analyzed in ephemeral, isolated containers or virtualized environments
  • Company employs engineers & contractors dedicated to Application Quality & Testing
  • FOSSA engineers employ regular peer code review
  • Fully encrypted one-way access of sensitive data (i.e. user passwords, access tokens, etc.)
  • FOSSA never generates permanent (non-revokable) access credentials for 3rd-party services. Tokens are regularly churned upon expiration and follow the OAuth spec.

Web Security

  • All application data transmitted over HTTPs
  • 24/7 application monitoring and DDoS protection
  • Hosted in Amazon Web Services datacenters (ISO 27001 and FISMA certified)

On-Prem Security

  • On-prem is fully sealed; all data (including open source analysis, cache, etc...) is located and communicated behind the firewall.
  • Native HTTPs support baked into on-prem offering
  • Application is distributed with multiple layers of containerization, virtualization & sandboxing across the stack
  • Successfully passed security review for Fortune 50 on-prem deployments

Physical, Operational & Information Privacy

  • 2-Factor authentication required for all employees
  • Office located in private facilities with 24/7 security, surveillance and access cards

Security Disclosure Policy

If you think you've found a security issue, please email us at or the founder directly at with "[SECURITY]" in the title. DO NOT attempt to publically disclose or report the vulnerability.