Security & Privacy Policy
Your code and on-chain data remain under your control at all times. Here's exactly how we handle them.
π‘οΈ Our Core Principles
1. Minimal Access
Our GitHub App requests read-only access to code content. We cannot:
- Modify your code
- Create or delete files
- Access other repositories you haven't authorized
- See your private tokens or secrets
2. Controlled Processing
Depending on how you use Solidity Prism:
- GitHub PRs & deployed contracts: Only identifiers are stored (repository, commit SHA, contract address, transaction hash, network). Source code is processed temporarily and not stored.
- Direct input (snippet or uploaded .sol files): Source code is stored to allow you to access, review, and revisit your analysis results.
- Analysis tools (Slither, Aderyn, Mythril, AI layer, Custom heuristics) run in memory.
- Forensic analysis: Uses only public blockchain data (transactions, logs, traces). No private or off-chain data is required.
3. Data Retention Transparency
We DO store:
- Audit results (vulnerabilities found, severity, line numbers)
- Gas optimization suggestions
- Audit metadata (timestamp, repository name, commit SHA, contract address, transaction hash, network)
- Source code only when explicitly provided via snippet or uploaded .sol files
- Transaction data and tracing results (for forensic analysis)
We DO NOT store:
- Source code from GitHub repositories
- Source code from deployed contracts
- Environment variables or secrets
- Dependencies or full project structure
- Private keys or sensitive credentials
ποΈ Technical Architecture (GitHub Workflow)
The following flow describes the GitHub-based analysis workflow only. Playground usage (direct inputs) and forensic analysis follow different processing paths.
Data Flow Diagram:
GitHub code retention: Temporary only (not stored)
Repository code is processed for analysis and not permanently stored.
π See Real Results
Don't take our word for it. Check out actual audit reports showing vulnerabilities found and gas optimizations suggested.
View Showcase Reports βπ Compliance
Smart Contract Audit Standard
We follow best practices from established Web3 security firms like Trail of Bits and OpenZeppelin.
Data Data Control & Transparency
You maintain full control over your data, with clear rules depending on how inputs are provided (GitHub, deployed contracts, or direct input).
π How We Compare
Solidity Prism is a comprehensive analysis platform for developers: security vulnerabilities + gas optimization analysis in one platform. Designed for continuous development workflow and rapid iterationβnot as a replacement for professional audits, but as an essential step before them.
| Security Practice | Solidity Prism | Industry Standard |
|---|---|---|
| Code Access Type | β Read-only | β Read-only |
| Source Code Storage | β GitHub & deployed: not stored / snippet & file upload: stored | β οΈ Variable (some tools cache) |
| User Control | β Revocable anytime (GitHub actions) | β Revocable anytime |
| Third-Party Sharing | β Never | β Never (reputable tools) |
Important Disclaimer: Solidity Prism is a comprehensive analysis platform designed to assist developers in identifying vulnerabilities, optimizing gas usage, and investigating on-chain activity. It is not a substitute for professional security audits.
The platform combines industry-leading tools such as Slither, Aderyn, Mythril, AI analysis, and custom heuristics to deliver fast and actionable insights. However, as with any automated system, certain complex or novel vulnerabilities may not be detected, and AI-generated insights may occasionally be incomplete or misinterpreted.
Users remain fully responsible for reviewing their code, validating findings, and making final decisions before deployment. We strongly recommend conducting thorough manual reviews and engaging professional auditors prior to mainnet release.
β Security FAQ
What if Solidity Prism is hacked?
Sensitive source code from GitHub repositories and deployed contracts is not stored. However, analysis results are always stored, including detected vulnerabilities, gas insights, and forensic tracing data.
When source code is explicitly provided via snippet or file upload, it may be stored alongside results to allow users to review their analyses. No private keys, secrets, or sensitive credentials are ever stored.
Do you use my code to train AI models?
No. Your code is never used for training, fine-tuning, or any machine learning purposes. Analysis is purely rule-based and symbolic execution.
How do I revoke access?
Solidity Prism runs as a GitHub Action in your repository. To revoke access:
- Delete the workflow file: In your repository, delete
.github/workflows/solidity_prism.ymland commit the change. This immediately stops all analyses. - Remove the secret (optional): Go to your repository Settings β Secrets and variables β Actions, find
PRISM_ACTION_SECRET, and remove it. - Deactivate in dashboard (optional): Log in to your Solidity Prism dashboard and deactivate the repository.
See our full uninstallation guide for detailed instructions.
How reliable are the analysis results?
Solidity Prism combines industry-standard analysis tools (such as static analysis and symbolic execution) with AI-assisted insights to provide fast and actionable results. However, no automated system can guarantee complete accuracy.
The underlying tools may produce false positives (flagging non-issues) or false negatives (missing certain vulnerabilities), especially in complex or highly customized smart contracts.
In addition, AI-generated insights are designed to improve clarity and detection coverage, but may occasionally misinterpret context or produce incomplete or inaccurate conclusions.
Solidity Prism should be used as an assistance tool to accelerate development and investigation workflows. All findings should be reviewed and validated by developers, and critical systems should always undergo a professional security audit before deployment.
Still Have Questions?
We're happy to discuss our security practices in detail.
Open an Issue on GitHub