We take our own
security seriously
Due to the sensitivity of the data stored in Aikido, security on our own platform is our highest priority.
Privacy & GDPR
Aikido is in full compliance of the General Data Protection Regulation (GDPR).
Read more
Compliance
Aikido is both ISO 27001:2022 & AICPA's SOC 2 Type II compliant.
Request certificates
Pentesting & Bug Bounties
Aikido conducts annual external pentests and maintains an active bug bounty program.
Message help@aikido.dev with your Intigriti username to get invited to the bug bounty program.
Request bug bounty access
Aikido
never stores your code.
Aikido doesn't store your code after completing the analysis. We perform actions such as git clones in a fresh docker container for each repository. After analysis, the data is wiped and the docker container is terminated.
Online scanning
For GitHub, no refresh or access tokens are stored in our database. An Aikido database breach would not result in your GitHub code being downloadable. By default, our integrations require a read-only scope.
Local scanning
Alternatively, you can run Aikido locally (on-prem) as well. Download the Aikido local scanners to get started.
Trusted by
innovative dev teams
Embraced by pioneering development teams worldwide.
.svg)
FAQ
Can I try Aikido without giving access to my own code?
Yes - you can connect a real repo (read-only access), or use our public demo project to explore the platform. All scans are read-only and Aikido never makes changes to your code. Fixes are proposed via pull requests you review and merge.
What happens to my data?
We clone the repositories inside of temporary environments (such as docker containers unique to you). Those containers are disposed of, after analysis. The duration of the test and scans themselves take about 1-5 mins. All the clones and containers are then auto-removed after that, always, every time, for every customer.
Does Aikido make changes to my codebase?
We can’t & won’t, this is guaranteed by read-only access.
What do you do with my source code?
Aikido does not store your code after analysis has taken place. Some of the analysis jobs such as SAST or Secrets Detection require a git clone operation. More detailed information can be found on docs.aikido.dev.
How can I trust Aikido?
We’re doing everything we can to be fully secure & compliant. Aikido has been examined to attest that its system and the suitability of the design of controls meets the AICPA's SOC 2 Type II & ISO 27001:2022 requirements. Find out more on our Trust Center.
Does Aikido require agents?
No! Unlike others, we're fully API based, no agents are needed to deploy Aikido! This way you're up & running in mere minutes & we're way less intrusive!
Has Aikido itself been security tested?
Yes — we run yearly third-party pentests and maintain a continuous bug bounty program to catch issues early.
Do you have a bug bounty programme?
Yes we do! You can find the our bug bounty programmes on Intigriti.
.webp)
Share how you score on unbiased standards & best practices
Get an instant SOC 2, ISO 27001 or OWASP Top 10 report
Know where you stand on the technical vulnerability management controls for your compliance certification.
Share your security reports with your leads in just a few clicks, so you can get through security reviews faster.
Decide which information you'd like to share such as:
Aikido is available on any device, worldwide.
Health checks & simple pings of the components are used to check if the functions are operational.
At Aikido, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a security vulnerability, we would like to know about it so we can take steps to address it as quickly as possible.