Security & Privacy

Your code never leaves your machine unless you explicitly opt-in.

SnapBack is built with a privacy-first, local-first architecture. We capture metadata for intelligence—not your source code.

Architecture Overview

Local-First Design

┌─────────────────────────────────────────────────────────┐
│                    YOUR MACHINE                          │
│  ┌─────────────┐    ┌─────────────┐    ┌─────────────┐  │
│  │ VS Code     │───▶│ SnapBack    │───▶│ .snapback/  │  │
│  │ Extension   │    │ Engine      │    │ Local Store │  │
│  └─────────────┘    └─────────────┘    └─────────────┘  │
│                            │                             │
│                            ▼                             │
│                   ┌─────────────┐                        │
│                   │ Metadata    │ (Optional cloud sync)  │
│                   │ Only        │────────────────────────┼──▶ Cloud
│                   └─────────────┘                        │
└─────────────────────────────────────────────────────────┘

What stays local:

All source code and file contents
Protection states (full file snapshots)
Pattern learning data
Session history

What can optionally sync (metadata only):

AI tool usage patterns (anonymized)
Risk event frequencies
Aggregate statistics

Data Collection

What SnapBack Collects

✅ Collected (Metadata Only)

• Event types (save, protection state created)
• AI tool identifiers (which assistant was active)
• Timestamps and session durations
• File extensions (not names or paths)
• Aggregate change metrics (lines changed)
• Risk event counts

❌ Never Collected

• Source code or file contents
• File names or paths
• Diff contents or patches
• Personal identifiers
• IP addresses or location data
• Proprietary algorithms or logic

Example: What Gets Sent (If Opted In)

{
  "event": "protection_state_created",
  "timestamp": "2025-01-14T15:30:00Z",
  "metadata": {
    "ai_tool": "cursor",
    "ai_contribution": 0.78,
    "file_extension": ".ts",
    "lines_changed": 45,
    "risk_level": "medium",
    "session_duration_minutes": 12
  }
}

Notice: No file paths, no code, no personal data.

Detection Accuracy & Methodology

AI Detection Performance

Our detection system has been validated across diverse codebases:

89%

Overall Detection

AI vs Human edits

98%

Cursor Detection

Highest accuracy

97%

Copilot Detection

Inline completions

94%

Risk Detection

Secrets, mocks, deps

Detection Methodology

SnapBack uses multiple signals to detect AI activity:

Signal	Method	Privacy Impact
Editor API hooks	VS Code extension API	Local only
Change velocity	Timing patterns	Metadata only
Code patterns	Heuristic analysis	Local processing
Tool metadata	AI extension signals	When available

How it works:

Extension monitors editor events (local)
Analyzes change patterns (local)
Applies ML-based classification (local)
Stores attribution with protection state (local)

No code is sent to external services for AI detection.

Data Retention

Local Storage

Protection states are stored in .snapback/ with configurable retention:

// .snapbackrc
{
  "retention": {
    "maxAge": "30d",           // Keep states for 30 days
    "maxStates": 1000,         // Maximum states per file
    "compressionLevel": "high" // Binary compression
  }
}

Default retention: 30 days or 1000 states per file (whichever comes first)

Cloud Sync (Optional)

If you enable cloud features:

Metadata syncs with AES-256 encryption in transit
Data retained for 90 days by default
Can request deletion at any time
GDPR-compliant data handling

Enterprise Security

Compliance

🔐 SOC 2 Type II

Security controls audited annually

🇪🇺 GDPR

Data processing with EU compliance

🏥 HIPAA Ready

BAA available for healthcare

Enterprise Features

Feature	Description
SSO/SAML	Integrate with your identity provider
Audit logs	Complete activity trail for compliance
Data residency	Choose where metadata is stored
Air-gapped mode	Fully offline operation
Custom retention	Configure per organizational policy

Air-Gapped Deployment

For maximum security, SnapBack can run fully offline:

// .snapbackrc
{
  "offline": true,
  "telemetry": false,
  "cloudSync": false
}

In this mode:

Zero network requests
All processing local
No analytics or telemetry
Full functionality preserved

Vulnerability Disclosure

Reporting Security Issues

If you discover a security vulnerability:

Email: security@snapback.dev
Include: Description, steps to reproduce, impact assessment
Response: We’ll acknowledge within 24 hours
Timeline: Fix deployed within 7 days for critical issues

Bug Bounty

We offer rewards for responsible disclosure:

Severity	Reward
Critical	$1,000 - $5,000
High	$500 - $1,000
Medium	$100 - $500
Low	Recognition

Open Source Components

SnapBack uses audited open-source libraries:

Component	Purpose	License
better-sqlite3	Local storage	MIT
jsdiff	Diff generation	BSD
PostHog	Analytics (optional)	MIT
zod	Schema validation	MIT

We regularly audit dependencies for vulnerabilities using automated scanning.

Transparency

What We Believe

Your code is yours. We never access, read, or store your source code.
Privacy by default. Cloud features are opt-in, local is the default.
Minimal data. We collect only what’s needed for intelligence features.
User control. You can export, delete, or disable data collection anytime.

Data Export

Export all your data at any time:

# Export all local data
snap export --format json > my-data.json

# Export cloud data (if opted in)
snap cloud export --all

Data Deletion

Delete your data completely:

# Delete local data
snap reset --all

# Delete cloud data
snap cloud delete --confirm

Frequently Asked Questions

Does SnapBack read my code?

SnapBack processes your code locally for protection states and pattern learning. This data never leaves your machine. Cloud sync only sends anonymized metadata.

Can I use SnapBack in a secure environment?

Yes. Enable offline mode for zero network requests. SnapBack works fully locally without any external dependencies.

How is AI detection done without sending code?

Detection uses local heuristics: change velocity, editor API signals, and pattern matching. All processing happens on your machine.

What happens if I delete SnapBack?

Uninstalling removes all local data in .snapback/. If you opted into cloud sync, that data remains until you request deletion.

Contact

For security questions or concerns:

Security issues: security@snapback.dev
Privacy questions: privacy@snapback.dev
General support: support@snapback.dev

Security is foundational to SnapBack.

We built with privacy-first principles because we believe intelligence shouldn’t require compromising your code security.

View our Privacy Policy → | Contact Security Team →