Hold your vendor to the standard you hold your code
Here is how Verifi handles your data. The short version: we pull intelligence to you, we do not pull your code to us.
Data minimization
By default, Verifi analyses manifests, lockfiles, and package metadata, not your application source. What we need to know is what you depend on, not what you wrote.
The one exception, contained
Reachability analysis is the only step that reads your source. It runs inside your perimeter (in CI, the proxy, or an agent you control) and emits only the result, reachable yes or no, never the source.
Deployment is your choice
Hosted (SaaS): your data lives in an isolated, per-tenant store. Self-hosted or in your own VPC: the proxy, connectors, and decisioning run entirely inside your perimeter, and only anonymized verdicts (or nothing) leave.
One-way intelligence
Global threat intelligence flows to you, read-only. Your estate data stays in your tenant and never enters the shared corpus. Any signal that flows back is minimal, derived, and opt-in.
Auditable by design
Every block and every automated action traces back to the finding, the decision, and the policy version that caused it. That trail is the evidence standards ask for.
We pull intelligence to you; we do not pull your code to us.