click click claudelog in →

security

Honest security, on your terms.

We're a young tool, and we'd rather tell you exactly what we do and don't do than hide behind a compliance logo. Your code is yours. Your data is yours. Pick how much you want us to touch.

our principles

01

Your code is not training data

We do not use your code, prompts, or outputs to train any model — ours or anyone else's. Anthropic processes your click click claude requests to generate responses, under their standard API terms; nothing from you leaves as a training signal.

02

Best-practice defaults, not compliance theatre

We don't have SOC 2, ISO, HIPAA, or any other audit on the wall yet — and we're not going to pretend we do. What we do have: encrypted secrets, managed Supabase with row-level security, scoped GitHub tokens, no shared credentials, and code review on every change. We'll pursue formal compliance when real customers need it.

03

You choose how much we see

Fully managed, partially managed, or nothing at all. Pick the posture that fits — you aren't locked into one mode, and you can move between them later.

04

Least privilege, least storage

We only ask for the access we actually need, and we only store what we have to. Integration tokens are encrypted at rest, scoped to the minimum required permissions, and revocable from your settings in one click.

three ways to use it

Same tool, three access profiles. You're in control — pick one, mix, or move between them.

All-in managed

easiest — for new projects

We spin up a GitHub repo, a Supabase database, a Vercel deployment, and point Claude Code at it. You get a live app at a URL. We have access to your repo and database because we provisioned them — the trade-off for zero setup.

We have full access to the managed repo + DB.

Bring your own repo

middle ground

Import an existing GitHub repo. Claude Code runs against it during your sessions, but we don't hold persistent access to your infrastructure. Your code lives where it always has — we're just the tool that edits it.

No persistent access to your repo or infra.

Fully local

most private

Run the desktop app, point click click claude at a folder on your machine, work. Nothing is uploaded, nothing is stored on our side — just the prompts you send to click click claude (via Anthropic's API) and the responses you get back.

Nothing leaves your machine except the click click claude prompts.

on compliance

We don't hold SOC 2, ISO 27001, HIPAA, or similar certifications yet. If your company requires one of these to adopt a tool, we're not the right fit today — but reach out, we want to know what matters to you.

In the meantime: secrets encrypted at rest, scoped tokens, least-privilege access, code review, and clear incident response. Real security practices — just without the audit badge.

start building →

Security questions? Email hello@clickclickclaude.dev.