Privacy Policy

Last updated: April 21, 2026

About Deva

Deva is an AI-assisted secure coding platform built for classified, air-gapped, and other controlled environments. The scanner, the Deva Coder local model, compliance mapping, and fix generation are designed to execute entirely inside the customer's boundary. This policy describes the limited data we process for account and web services, and what never leaves your environment.

What We Collect

Account Information

When you create an account, we collect:

  • Email address
  • Display name
  • Profile photo (if signing in with Google or GitHub)

Google User Data

This section describes how Deva accesses, uses, stores, shares, and retains data obtained through Google APIs, in compliance with the Google API Services User Data Policy.

Data Accessed

When you sign in with Google, we access your Google account email address, display name, and profile photo. No other Google user data is accessed.

Data Usage

Google user data is used solely to:

  • Authenticate your identity and maintain your session
  • Display your profile information within the application

We do not use Google user data for advertising, analytics, or any purpose unrelated to authentication and profile display.

Data Sharing

We do not sell, rent, or share Google user data with any third parties. Google user data is not transferred to any external service except as strictly necessary to provide the features you have opted into (for example, Firebase Authentication for sign-in). We do not provide Google user data to AI providers, advertisers, data brokers, or any other third party.

Data Storage & Protection

Google user data is stored in Firebase (Google Cloud) with access restricted to authenticated users. OAuth tokens are encrypted and stored in Google Cloud Secret Manager. All data is transmitted over HTTPS.

Data Retention & Deletion

Google account data is retained only while your account is active. You may request deletion of all your data at any time by emailing admin@devseccode.com. Upon receiving a deletion request, we will remove all associated data within 30 days and confirm completion. You can also revoke Deva's access to your Google account at any time via Google Account Permissions.

AI Features

Deva's default AI path uses Deva Coder, a local model that runs on the developer's machine or on an on-premises inference node inside the customer's environment. In this configuration, prompts, code context, scan findings, and model responses do not leave the customer boundary.

In non-air-gapped deployments, the operator may optionally enable third-party AI providers (Anthropic, OpenAI, or Google). Only when the operator explicitly enables those providers, the prompt and relevant code context for that request are sent to the selected provider. Air-gapped and controlled-environment deployments do not use third-party AI providers.

What Never Leaves Your Environment

In air-gapped and controlled-environment deployments, none of the following are transmitted outside the customer's boundary:

  • No source code. Scanning, AST analysis, and taint tracking run locally. Source code is not uploaded to our servers or to any third party.
  • No findings or remediation diffs. Scan results and generated fixes stay inside the customer environment.
  • No prompts or model responses. The local Deva Coder model runs on the developer's machine or on-prem. Prompts and outputs do not egress.
  • No telemetry. Usage analytics, crash reports, and machine identifiers are disabled.
  • No tracking. We do not use cookies, fingerprinting, or advertising trackers.
  • No outbound CVE or package-index lookups in offline mode. The vulnerability and supply-chain dataset ships with the product.

How We Protect Your Data

  • API keys and credentials are stored in Google Cloud Secret Manager and are never embedded in the application or stored on your device.
  • OAuth sign-in flows use one-time codes that expire after 5 minutes and state parameter validation to prevent CSRF attacks.
  • Authentication tokens are verified using constant-time comparison.

Data Retention & Deletion

  • Account data is retained while your account is active.
  • AI conversations exist only in your local session and are not persisted on our servers.
  • Scan findings and fix diffs remain inside the customer environment and are not retained by us.

To request deletion of your account data, email admin@devseccode.com. We will process deletion requests within 30 days.

Your Rights

You may:

  • Access your data by viewing your profile in the application.
  • Delete your account and associated data by contacting us.
  • Opt out of AI-augmented scanning in settings.
  • Run fully locally. Use Deva Coder or a customer-provided local model to keep all AI processing inside your environment.

Third-Party Services

ServicePurposePrivacy Policy
Google Cloud / FirebaseAuthentication, data storagecloud.google.com
AnthropicAI provider (Claude)anthropic.com
OpenAIAI provideropenai.com
Google AIAI provider (Gemini)ai.google
GitHubSign-indocs.github.com

Changes

We will update this page when our data practices change. The “Last updated” date at the top reflects the most recent revision.

Contact

For privacy questions or data deletion requests: