Security & Trust
Last updated: April 27, 2026
Fixor reads pull request diffs and writes back security findings. Anyone trusting Fixor with their code has a right to know what we hold, who else touches it, and how to tell us when we've done something wrong. This page is the short version — the longer narrative is in our Privacy Policy and the operator-facing roadmap in our public repository.
1. Security practices
Concrete things shipped today, not aspirations:
HMAC-verified webhooks
Both inbound webhook surfaces — GitHub (scan trigger) and Paddle (billing) — verify HMAC-SHA256 signatures on every request before parsing the body. The Paddle path enforces a 5-minute replay window.
Short-lived GitHub tokens
Fixor authenticates with GitHub via the App's installation tokens, which expire within 1 hour. We don't hold a long-lived personal access token for any user.
Diffs are not stored
The PR diff is processed in memory by the analysis engine and is not written to our database. Cost ledger and scan history rows track that a scan ran (and what it cost) without storing the code itself.
Signed report URLs
PDF + SARIF reports live on Cloudinary as authenticated assets. The PR comment links to a signed URL with a 1-hour TTL by default; the URL only proves the holder reached the comment within that window.
Hashed API tokens
API tokens (the fxr_* values) are 256-bit random strings. We store only their SHA-256 hashes; the plain token is shown once at creation and never again. A leaked DB dump can't be used as tokens.
Per-org budget caps
Every org has a hard monthly Anthropic spend cap (free=$5, indie=$30, pro=$80, team=$200). Scans pause at 100% rather than overspending; an 80% nudge fires earlier in the PR comment + email + dashboard.
Redacted structured logs
Server logs go through Pino with explicit redaction for ANTHROPIC_API_KEY, GitHub App private keys, and billing identifiers. console.* outside test scripts is banned in CI.
TLS everywhere
Database (Neon), Anthropic, Paddle, GitHub, Resend — every outbound connection runs over TLS. The marketing + dashboard surfaces enforce HTTPS via Vercel / GitHub Pages.
The full source is open, MIT-licensed, and reviewable at github.com/tornidomaroc-web/fixor — the security claims above are checkable against the code.
2. Subprocessors
We use the following third parties to operate Fixor. Each has its own security posture and certifications — click through for theirs.
| Subprocessor | Purpose | Region |
|---|---|---|
| Anthropic | Diff analysis (Claude API) | USA |
| Neon | Postgres database | USA / EU |
| Railway | Backend webhook + analysis runtime | USA |
| Vercel | Dashboard hosting | USA / EU |
| Clerk | GitHub OAuth + dashboard sessions | USA |
| Paddle | Payments + merchant of record | USA / EU / UK |
| Resend | Transactional email | USA |
| Cloudinary | PDF + SARIF report hosting | USA |
| Sentry | Error tracking | USA |
| GitHub | Webhook source; Fixor is a GitHub App | USA |
3. Compliance posture
- In place Open-source codebase under MIT — every claim on this page is verifiable against the source.
- In place Encrypted transport for all subprocessor traffic and customer-facing surfaces.
- In place Audit log for billing + settings changes (the
audit_logtable; per-row actor + action + metadata). - Not pursuing SOC 2 / ISO 27001 / HIPAA — Fixor is built for indie + small-team customers, and pursuing those certifications would change the product economics. If a customer needs them, that's a conversation we'd have on a paid Team contract.
- Not pursuing Data residency guarantees beyond the regions our subprocessors offer. EU customers concerned about residency should pick the EU region in their own subprocessor accounts (Neon, Vercel) where applicable.
4. Vulnerability disclosure
Email support@fixor.dev with subject line SECURITY: followed by a one-line summary. Mention “disclosure” in the body.
We'll acknowledge within 72 hours and follow up with a triage decision within 5 business days.
In scope
- The Fixor GitHub App and its webhook endpoints (Railway)
- The Fixor dashboard (Vercel) including
/api/billing/*and/api/orgs/[id]/settings - The Fixor source code in github.com/tornidomaroc-web/fixor
- The marketing site at this domain
Out of scope
- Findings against subprocessors — report those to the relevant vendor (Anthropic, Vercel, etc.) directly
- Denial-of-service, volumetric attacks, social engineering of staff or customers
- Reports based on outdated dependencies without a working proof-of-concept against Fixor
- Self-XSS, missing security headers without exploit, “informational” findings (TLS configuration suggestions, etc.)
Safe harbor
Good-faith research that follows this scope and stops at proof-of-concept will not result in legal action from us. Don't exfiltrate data, don't run automated scanners that affect availability, and don't go after other customers' data — if you find a way to read another org's rows, stop, and tell us.
5. Incident communication
Live status: status.fixor.dev tracks four monitors (landing, dashboard, backend, Anthropic edge). Subscribe there for incident emails. Material data-breach notifications go to the email on each affected org's record (the installer email captured at first dashboard sign-in) within 72 hours of confirmation.
6. Data subject requests
For access, deletion, or export of data Fixor holds about your org, see the “Your rights” section of our Privacy Policy. Requests go to support@fixor.dev and are answered within 30 days.