A Software Bill of Materials (SBOM) is a complete inventory of all components in a software product including dependencies, versions, licenses, and vulnerability data. Required by US Executive Order 14028 and EU Cyber Resilience Act.

What is NTIA EO14028 compliance?

US Executive Order 14028 requires software vendors selling to federal agencies to provide SBOMs with 7 minimum elements: supplier name, component name, version, unique identifiers, dependency relationships, SBOM author, and timestamp.

Does Deptic support private GitHub repositories?

Yes. Deptic uses GitHub OAuth to access private repositories you own. We only read manifest files — never your source code.

Which package ecosystems does Deptic support?

Deptic supports npm (Node.js), pip (Python), Maven (Java), Go modules, Rust (Cargo), Ruby (Gemfile), PHP (Composer), and .NET (NuGet) — 8 ecosystems in total.

Yes. Deptic has a free plan with 10 scans per day, CVE detection, and CycloneDX + SPDX SBOM export. Enterprise plan is ₹999/month with 25 scans per day and additional features.

Last updated: June 10, 2026

Privacy Policy

Effective date: June 10, 2026

This Privacy Policy describes how Deptic ("we", "us", "our") collects, uses, and protects information when you use the Deptic software supply chain security platform at deptic.in and through our API and CLI tools. We are committed to protecting your privacy and being transparent about our data practices.

1. Information we collect

1.1 Account information

When you sign up using GitHub OAuth, we receive from GitHub:

Your GitHub username and display name
Your primary email address registered with GitHub
Your GitHub user ID (used as your unique identifier in Deptic)
Your public profile avatar URL

We do not receive your GitHub password. We do not store your GitHub OAuth token beyond your active session.

1.2 Repository data

When you initiate a scan, Deptic accesses:

Manifest files only: package.json, requirements.txt, pyproject.toml, pom.xml, go.mod, Cargo.toml, Gemfile, composer.json, and equivalent files
The repository file tree (list of file paths) to locate manifest files

We do NOT access, read, or store:

Your source code
Configuration files (.env, application.yml, secrets)
Non-manifest files of any kind
Private repository contents beyond manifest files

Manifest file contents are processed in memory to resolve dependency trees and are not persisted after scanning completes. Structured component data (package name, version, license, PURL) is stored in our database.

1.3 Scan results

We store the following structured data from scans:

Package name, version, ecosystem, license, and Package URL (PURL) for each resolved component
CVE identifiers and severity scores for detected vulnerabilities
NTIA compliance scores and element coverage data
Scan metadata: repository URL, scan timestamp, duration, status

Generated SBOM files (CycloneDX JSON, SPDX, PDF) are stored in encrypted object storage (iDrive E2) with a unique key per file. Share links to SBOM files expire after the duration you set (30–180 days). API-triggered scan files expire after 1 hour.

1.4 Technical data

We automatically collect:

IP address (used for rate limiting and abuse prevention, not linked to your identity in logs)
Browser type and version (from User-Agent header)
Operating system (used to name push notification subscriptions)
Pages visited within the Deptic dashboard (for product analytics)
Timestamps of scan creation, completion, and report exports

1.5 Push notification subscriptions

If you enable browser push notifications, we store:

Your push subscription endpoint URL (provided by your browser)
Encryption keys (p256dh and auth values) required to encrypt push payloads
Device name (derived from User-Agent)

Push notification content is encrypted end-to-end between our server and your browser. We cannot read notification content after delivery.

1.6 Webhook data

If you enable auto-scan via GitHub webhooks, we store:

GitHub webhook ID for each registered webhook
A randomly generated HMAC secret per webhook (used to verify GitHub signatures)
Push event metadata: branch name, commit SHA, pusher username, timestamp
We do NOT store the full GitHub webhook payload beyond the metadata listed above

2. How we use your information

To provide the Deptic service: resolving dependencies, detecting CVEs, generating SBOMs, producing compliance reports
To authenticate your identity and authorize access to your scans and workspace
To register and verify GitHub webhooks for auto-scan functionality
To send push notifications for scan completion, vulnerability alerts, and account security events
To enforce rate limits and prevent abuse of the API and scan infrastructure
To improve Deptic: understanding which features are used, scan durations, error rates
To respond to support requests and security reports

We do not use your data for advertising. We do not sell your data to third parties. We do not use your repository data to train machine learning models.

3. Data sharing

3.1 Infrastructure providers

Provider	Purpose	Data shared	Location
Supabase	Database and authentication	Account data, scan results	EU (Frankfurt)
Upstash	Redis caching	Temporary scan cache (TTL 24h)	EU/US
iDrive E2	SBOM file storage	SBOM files, PDF reports	US
Resend	Transactional email	Email address, notification content	US
Vercel	Frontend hosting	Page requests, static assets	Global CDN
Railway	API hosting	API requests	US

3.2 GitHub

Deptic communicates with the GitHub API to:

Fetch repository file trees and manifest file contents during scans
Register and manage webhooks on repositories where you enable auto-scan
Create branches and Pull Requests when you use Fix with PR
Read your repository list when you connect to the Projects page

This communication uses OAuth tokens issued during your GitHub sign-in. Tokens are used only during active operations and are not stored persistently beyond your session.

3.3 Vendor sharing portal

When you generate a share link for an SBOM report, the recipient can view the report without an account. You control the expiry of share links. We log view counts and timestamps for share links. The recipient's IP address is logged for security purposes.

3.4 Workspace members

Scan results, vulnerability data, and compliance reports are visible to all members of a shared workspace. When you create a workspace and invite members, those members can see all scans initiated within that workspace.

4. Data retention

Data type	Retention period
Account data	Until account deletion
Scan metadata	Until account deletion
Component inventory	Until account deletion
CVE data	Until account deletion
SBOM files (dashboard)	Until account deletion
SBOM files (API/CLI scan)	1 hour from generation
Share link files	Until link expiry date (max 180 days)
Webhook event logs	90 days
Push notification log	30 days
Deleted account data	Purged within 30 days of deletion

Redis cache entries (temporary scan data) expire automatically per their TTL — typically 24 hours for component metadata, 6 hours for clean version data.

5. Your rights

Depending on your location, you may have the following rights regarding your personal data:

Right to access: request a copy of all data Deptic holds about you
Right to deletion: delete your account and all associated data at Settings → Profile → Delete Account. Deletion is permanent and cannot be undone.
Right to portability: export your scan history and SBOM files before deleting your account
Right to correction: update your profile information at Settings → Profile
Right to object: opt out of product analytics by contacting privacy@deptic.in
Right to withdraw consent: disable push notifications at any time in Settings → Notifications

To exercise any right, email privacy@deptic.in. We will respond within 30 days.

6. Security

Deptic implements the following security controls:

All data transmitted over HTTPS/TLS 1.3
Database encrypted at rest (Supabase AES-256)
SBOM files stored with server-side encryption (AES-256)
API keys stored as SHA-256 hashes — plaintext is never persisted
GitHub webhook payloads verified using HMAC-SHA256 signatures
Push notification payloads encrypted end-to-end (Web Push standard)
Row-level security on database tables — users can only access their own data
JWT tokens expire after 1 hour and are refreshed automatically

If you discover a security vulnerability in Deptic, please email security@deptic.in. We will acknowledge within 48 hours and aim to resolve within 14 days.

7. Cookies

Deptic uses minimal cookies:

Authentication cookie: set by Supabase to maintain your login session. Expires when you sign out or after 7 days of inactivity. This cookie is strictly necessary — the service cannot function without it.
No advertising cookies
No cross-site tracking cookies
No third-party analytics cookies

We do not use Google Analytics, Mixpanel, Segment, or any behavioral analytics platform that tracks you across the web.

8. Changes to this policy

We will notify users of material changes to this Privacy Policy via email and in-app notification at least 14 days before changes take effect. Continued use of Deptic after the effective date constitutes acceptance of the updated policy.

9. Contact

Contact me: balasnjeev1085@gmail.com