// security & trust

Your code never leaves your machine.
That is the architecture, not a promise.

Ghost Architect™ is a command-line tool that runs entirely on your laptop, your server, or your CI runner. There is no Ghost cloud that sees your source. There is no central server holding your scans. The product is designed so that even if Ghost Architect™ were compromised tomorrow, your codebase would not be affected.

At a glance

✓

Local executionThe scanner runs on your machine. No code is uploaded to Ghost Architect™.

✓

BYOK Anthropic APIYou bring your own Anthropic API key. We never see it.

✓

No central storageWe operate no servers that hold customer source code.

✓

Reports stay yoursFindings live in your own private GitHub repository.

✓

Telemetry is opt-outSet GHOST_NO_PING=1 to disable all outbound calls.

✓

MIT-licensed CLIGhost Open ships free on npm under the MIT license. Repository on GitHub.

// data flow

Where your code actually goes during a scan

When you run Ghost Architect™ against a codebase, here is the complete path the data takes. There are no hidden steps.

Step 1

Ghost Architect™ reads your local files. Nothing is uploaded yet. File reading happens entirely on your machine.

Step 2

Relevant code chunks are sent directly to Anthropic's API using your own API key. The traffic goes from your machine to Anthropic. Ghost Architect™ is not a relay, proxy, or middle hop. Anthropic's enterprise data retention policies apply (zero data retention by default on paid plans). See Anthropic's privacy policy.

Step 3

Anthropic's API returns analysis. The response comes back to your machine.

Step 4

Ghost Architect™ writes the findings report locally as PDF, Markdown, or text. On Team and Enterprise tiers, the report is committed to a private GitHub repository that you own and control. We do not host these repositories.

Step 5

A small heartbeat ping containing the CLI version, an anonymized install ID, and the event type (for example cli-firstrun-docker) may be sent to our telemetry endpoint. This ping contains no source code, no file paths, no findings, no API keys, and no personally identifiable information. You can disable it entirely by setting the environment variable GHOST_NO_PING=1.

// architecture

What we operate, and what we do not

We operate

A static marketing website (this one), a Cloudflare Worker that receives anonymous heartbeat pings for install analytics, an Airtable base that stores those anonymous pings, and the Ghost Open package on the public npm registry.

We do not operate

Any server that stores, processes, or transmits customer source code. Any database of customer findings reports. Any AI inference infrastructure that sees your code. Any analytics service that profiles your team or users.

Source control

For Team and Enterprise tiers, findings reports are synced to a private GitHub repository provisioned in your own GitHub organization. Ghost Architect™ does not host these repositories. Access control, retention, and deletion are managed entirely by you under GitHub's terms.

Authentication

Your Anthropic API key is stored locally on your machine in a configuration file you control. It is never transmitted to Ghost Architect™. You can rotate or revoke it at any time without involving us.

// compliance posture

On SOC 2 and ISO 27001

Ghost Architect™ is operated by a solo founder running a deliberately minimal infrastructure footprint. We do not currently hold SOC 2 Type II or ISO 27001 certifications. We believe in being direct about that rather than displaying badges we have not earned.

The reason we are comfortable engaging with security-conscious teams without those certifications is that the product is architected so that the data those frameworks are designed to protect never enters our infrastructure in the first place. Your source code, your API keys, and your findings reports all stay on systems you control. There is no Ghost Architect™ data plane for an auditor to certify.

When Ghost Architect™'s enterprise revenue justifies the audit cost, and when an enterprise customer requires it as a condition of contract, we will pursue SOC 2 readiness through a recognized provider. Until then, we direct your security team to this page, to Anthropic's enterprise compliance documentation, and to the source code itself.

// for security reviewers

Verifying these claims yourself

Everything described on this page is independently verifiable.

Inspect the source. Ghost Open is installable from npm as ghost-architect-open under the MIT license. Read the package contents before you run it.
Watch the network. Run Ghost Architect™ behind a packet inspector. You will see two endpoints: the Anthropic API and our telemetry endpoint. Nothing else.
Disable telemetry. Set GHOST_NO_PING=1 in your environment. All outbound calls from Ghost Architect™ itself stop. Only Anthropic calls remain, and those use your key.
Run it air-gapped. Ghost Architect™ will run on an isolated machine with only Anthropic API access. No connection to Ghost Architect™ infrastructure is required for scanning to function.

Your code never leaves your machine.That is the architecture, not a promise.

Where your code actually goes during a scan

What we operate, and what we do not

On SOC 2 and ISO 27001

Verifying these claims yourself

Security team has questions?

Your code never leaves your machine.
That is the architecture, not a promise.