click click claudelog in →

security

Honest security, on your terms.

We're a young tool, and we'd rather tell you exactly what we do and don't do than hide behind a compliance logo. Your code is yours. Your data is yours. Pick how much you want us to touch.

our principles

01

Your code is not training data

We do not use your code, prompts, or outputs to train any model — ours or anyone else's. Anthropic processes your click click claude requests to generate responses, under their standard API terms; nothing from you leaves as a training signal.

02

Best-practice defaults, not compliance theatre

We don't have SOC 2, ISO, HIPAA, or any other audit on the wall yet — and we're not going to pretend we do. What we do have: encrypted secrets, managed Supabase with row-level security, scoped GitHub tokens, no shared credentials, and code review on every change. We'll pursue formal compliance when real customers need it.

03

You choose how much we see

Fully managed or bring your own repo. Pick the posture that fits — you aren't locked into one mode, and you can move between them later.

04

Least privilege, least storage

We only ask for the access we actually need, and we only store what we have to. Integration tokens are encrypted at rest, scoped to the minimum required permissions, and revocable from your settings in one click.

two ways to use it

Same tool, two access profiles. You're in control — pick one or move between them.

All-in managed

easiest — for new projects

We spin up a GitHub repo, a Supabase database, a Vercel deployment, and point Claude Code at it. You get a live app at a URL. We have access to your repo and database because we provisioned them — the trade-off for zero setup.

We have full access to the managed repo + DB.

Bring your own repo

middle ground

Import an existing GitHub repo. Claude Code runs against it during your sessions, but we don't hold persistent access to your infrastructure. Your code lives where it always has — we're just the tool that edits it.

No persistent access to your repo or infra.

on compliance

We don't hold SOC 2, ISO 27001, HIPAA, or similar certifications yet. If your company requires one of these to adopt a tool, we're not the right fit today — but reach out, we want to know what matters to you.

In the meantime: secrets encrypted at rest, scoped tokens, least-privilege access, code review, and clear incident response. Real security practices — just without the audit badge.

start building →

Security questions? Email hello@clickclickclaude.dev.