Security Practices

We take the security of customer data very seriously at Number Labs, Inc. dba Torvalds.dev. If you have additional questions regarding security, we are happy to answer them. Please write to security@torvalds.dev and we will respond as quickly as we can. The Security Practices page describes the administrative, technical, and physical controls applicable to Torvalds.dev.

Hosting and Architecture

Torvalds.dev is available as a cloud-based service.

Cloud-based (hosted) services

This infrastructure for Torvalds.dev is provided and hosted by Amazon Web Services, Inc. ("AWS"). Information about security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on SOC reports, is available from the AWS Compliance website.

In addition to AWS, Torvalds.dev uses vector database services from Pinecone Systems, Inc.

Lastly, Torvalds.dev's cloud-based version uses OpenAI's API platform for AI inference. Information about their security practices can be found at the OpenAI Enterprise Privacy page.

Storage of Customer Code

Torvalds.dev does not store customer code. Torvalds.dev may store vector embeddings of file paths, documentation, and AI-generated docstrings in a vector database, but code is pulled on an 'as-needed' basis from the customer's code hosting service, such as GitHub, if and only if explicitly consented by the customer for a specific use case or if the code is publicly available under a permissible open-source license.

Note that if the customer chooses the on-premises option, their code will not leave their servers or their provisioned cloud at all.

If the customer chooses to use the cloud-based version of Torvalds.dev, the ephemeral storage of code will occur on AWS services provisioned by Torvalds.dev.

Storage of Customer Data

Torvalds.dev stores logs of customer chats in an AWS DynamoDB database. Members of the Torvalds.dev team may access these chat logs in order to provide technical support. Note that in the self-hosted service, logs are stored on customer servers only.

Confidentiality and security controls

Confidentiality

Torvalds.dev places strict controls over its employees' access to Customer Data. The operation of the Torvalds.dev requires that some employees have access to the systems which store or process this information and data.

For example, in order to diagnose a problem the customer is having with the Torvalds.dev services, we may need to access the customer's account. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to the customer account is logged.

All of our employees and contract personnel are bound to our policies regarding confidentiality, and we treat these issues as matters of the highest importance within our company.

Return and deletion of customer data

Within 30 days post contract termination, the customer may request return of Customer Data stored by Torvalds.dev (to the extent such data has not already been deleted by the customer).

Torvalds.dev provides the option for administrators to delete all Customer Data stored by Torvalds.dev at any time during a subscription term. Within 24 hours of administrator-initiated deletion, Torvalds.dev hard deletes all Customer Data from currently running production systems. Torvalds.dev-maintained backups of services and data may be destroyed within 30 days (backups are destroyed within 30 days, except that during an on-going investigation of an incident such period may be temporarily extended).

Monitoring and validation

Certificates

Torvalds.dev is SOC2 Type II compliant. Customers may download a copy of Torvalds.dev's SOC2 Type II report by reaching out to security@torvalds.dev.

At a minimum, Torvalds.dev will align with prevailing industry standards such as SOC 2 Type II, or any successor or superseding standard.

Audits

To verify that our security practices are sound and to monitor the Torvalds.dev services for new vulnerabilities discovered by the security research community, the Torvalds.dev services undergo security assessments by internal personnel, and for the Torvalds.dev services by respected external security firms who perform regular audits of the Torvalds.dev services. In addition to periodic and targeted audits of the Torvalds.dev services, we also employ the use of continuous hybrid automated scanning of our web platform. Customers may download a copy of available applicable external audit reports by reaching out to security@torvalds.dev.

Personnel

Torvalds.dev conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the Torvalds.dev services.

For any other questions, please feel free to reach out to security@torvalds.dev, and we will get right back to you.