> ## Documentation Index
> Fetch the complete documentation index at: https://docs.usetusk.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Security Policy

> How Tusk keeps your code and data secure

**Last updated:** Aug 12, 2025

<img style={{ borderRadius: '0.5rem', width: '140px', height: '140px' }} src="https://mintcdn.com/tusk/g9ARE0f2IAwondFu/images/SOC-NonCPA-Badge.png?fit=max&auto=format&n=g9ARE0f2IAwondFu&q=85&s=90019e9be621eaabe5d30343f38cd2ca" alt="AICPA SOC Badge" width="359" height="357" data-path="images/SOC-NonCPA-Badge.png" />

## Security & Privacy

[Security & Compliance Report](https://app.drata.com/security-report/d0e57bf6-76ce-4b60-bb2e-dbf0645c7069/f4fee1c8-50a8-458c-a593-e05da4720fc7?region=NA)

Tusk and our LLM providers (Anthropic, OpenAI, Gemini) **do not** use your source code to train models. These LLM providers may securely retain API inputs and outputs for up to 30 days to identify abuse.

Tusk uses multi-tenant architecture to provide isolation between customers, so your source code **will not** be accessible to other customers. Tusk stores non-readable embeddings of the files in your synced code repositories, not the files themselves.

If requested, we can block specific directories from being synced such that Tusk never gets access to embeddings of files in those directories. When Tusk needs to access the repo, it fetches data from the GitHub/GitLab API at runtime without permanent storage on our servers.

Tusk **does not** modify any code in your code repository that it has not created. Our AI agent will only add discussion comments and, if manually triggered, commits to your pull request's branch.

All REST API transmissions are HTTPS-protected, and we use TLS for data encryption. Stringent access controls restrict data access to authorized personnel only. Our team has continuous monitoring set up to ensure immediate response to potential security threats.

## Data Ownership

You retain all rights to the inputs that you provide to Tusk. You own any output that you rightfully receive from our services to the extent permitted by law.

We only receive rights in input and output as required to provide you with our services, comply with applicable law, and enforce our policies.

Please see our [Privacy Policy](https://www.usetusk.ai/privacy) for more details.

## Version Control Permissions

### Read access

* Deployments

* Members

* Metadata

### Read and write access

* Actions

* Checks

* Commit statuses

* Contents

* Discussions

* Issues

* Pull requests

* Repository hooks

* Webhooks

* Workflows

## FAQs

<AccordionGroup>
  <Accordion title="Is Tusk SOC 2 compliant?">
    Yes, Tusk is SOC 2 Type II certified. Our SOC 2 Type II report is available on request. You can also refer to our [Security & Compliance Report](https://app.drata.com/security-report/d0e57bf6-76ce-4b60-bb2e-dbf0645c7069/f4fee1c8-50a8-458c-a593-e05da4720fc7?region=NA).
  </Accordion>

  <Accordion title="Does Tusk do regular security audits?">
    We follow security best practices and have regular internal security reviews. We also have regular external security audits as part of our SOC 2 Type II certification and in the form of penetration testing.
  </Accordion>

  <Accordion title="How can I report a security issue?">
    Please email us at [security@usetusk.ai](mailto:security@usetusk.ai). We will review the issue and respond promptly.
  </Accordion>

  <Accordion title="How do I delete my data?">
    Upon offboarding, all your data will be permanently deleted from our servers. You can also reach out to us at [security@usetusk.ai](mailto:security@usetusk.ai) to request the secure deletion of your data.
  </Accordion>
</AccordionGroup>