Why does Vaultinum need access to source code during a Tech Due Diligence?
Access to the source code allows us to:
- Identify declared and undeclared third-party dependencies
- Detect known vulnerabilities mapped to specific components
- Assess open-source licensing exposure
- Evaluate maintainability indicators based on repository structure and history
- Analyse development activity patterns over time
This insight significantly increases the accuracy and completeness of the assessment by enabling verification against the actual code base rather than relying solely on self-reported information.
The process extracts technical metadata and indicators only. It does not involve reviewing business logic, reproducing functionality, or reverse engineering the application.
How is source code processed and who has access to it during a Technology Due Diligence?
The source code is processed exclusively by Vaultinum’s automated analysis engine in an isolated environment. It is uploaded through a secure channel and immediately transferred to a segregated analysis server, without being copied to internal workstations or shared systems.
No employee has direct access to the source code at any stage of the process.
The system extracts technical fingerprints and analysis metadata only. The source code remains temporarily present only in the isolated analysis environment and is automatically deleted once processing is complete.
Do clients remain in control of source code during a Tech Due Diligence?
The client maintains control of what repository and what version is uploaded. Processing is strictly read-only and non-intrusive, and the provider cannot modify, execute, or redistribute the application. The upload is initiated by the client and limited to the selected scope.
Can the client run the analysis internally and provide the results to Vaultinum?
Internal execution is not possible, as the analysis relies on Vaultinum’s proprietary controlled environment and processing pipeline. This environment is specifically designed to guarantee confidentiality and prevent exposure of the source code during analysis.
Alternatively, we could provide a Docker container. However, this would limit the scope of our analysis, as some engines cannot be run on-premises due to licensing constraints, and it would require more time and effort to set up on both sides.
What security and data protection guarantees are provided during a Technology Due Diligence?
Vaultinum holds ISO 27001 certification.
All information is processed solely for the purpose of the audit and covered by contractual confidentiality obligations. Access is restricted to authorised personnel under controlled procedures aligned with ISO 27001 and GDPR requirements.
Vaultinum also guarantees that transmitted information, including source code, is never used for Artificial Intelligence or LLM (Large Language Model) training.
What safeguards are implemented to protect source code during processing?
The due diligence process involves the collection of two types of information: source code and supporting documentation.
For source code:
- Code is provided via secure Git access or uploaded through Vaultinum’s secure platform
- Transfers occur over encrypted channels
- Source code is transferred to a dedicated isolated analysis environment hosted on a segmented network
- Processing is fully automated; no human access to the source code is permitted
- The code is stored temporarily for the duration of the scan and automatically deleted after processing
- Source code is never downloaded to employee endpoints
For other materials:
- Documents are centralised within a secure data room dedicated to the project, enabling structured communication and facilitating the review and Q&A phases between investors and management
- Documents are shared exclusively via a controlled project data room workflow and not by email
- The client retains control over what is uploaded and shared within scope
- Access to the project space is restricted to authorised users
- Documents are handled under the same ISO 27001 confidentiality and access control framework and are used solely for due diligence deliverables
What access control and information security policies are in place?
Vaultinum maintains formal information security and access control policies aligned with ISO 27001 requirements.
These controls include the principle of least privilege, role-based access control (RBAC), segregation of duties, strong authentication for privileged access, regular review of access rights, and controlled administrative access via bastion infrastructure.
All employees are bound by confidentiality clauses and internal security policies.
What data leak prevention measures are implemented to protect source code?
Vaultinum applies organisational and technical measures to prevent unauthorised extraction or dissemination of client information.
These include:
- Isolated processing environments for source code
- No human access to source code during automated scans
- Controlled document sharing via secure data room
- Data classification framework
- Strict access control enforcement
- Encryption at rest
- Encryption in transit (TLS, SSL VPN, IPSec VPN)
- Network segmentation and inter-VLAN firewall filtering
- Intrusion Prevention Systems (IPS)
- Filtering proxy
- Monitoring of sensitive access (e.g., Administrator actions, Active Directory modifications, VPN access)
- Bastion-controlled privileged access
Security events are logged and centralized within a SIEM, with weekly monitoring reports and audit reviews.
All measures operate under our ISO 27001 ISMS and internal PSSI framework.
What encryption policies are applied to protect source code and data?
Vaultinum maintains a formal encryption policy aligned with ISO 27001.
Data in transit is protected via TLS and secure VPN technologies (SSL VPN, IPSec), while sensitive data at rest is encrypted, including client repositories and archives.
What security controls are implemented at the endpoint and system level during source code analysis?
Source code is processed exclusively within an isolated analysis environment and never stored on employee endpoints.
Administrative access is restricted and monitored, while network segmentation limits lateral movement.
Firewall rules strictly control inbound, outbound, and inter-VLAN traffic.
Security events are centralised in a SIEM with regular review and audit.
Is a certificate of destruction provided after source code analysis?
Vaultinum provides a formal Certificate of Destruction confirming deletion once the project is finalised.
Do Vaultinum employees have access to the source code?
No employee accesses the source code.
Personnel operate under confidentiality obligations and controlled access procedures in accordance with ISO 27001.
Ensuring security and confidentiality at Vaultinum
Vaultinum’s approach to source code analysis is designed to combine detailed analysis with strong data security.
The process relies on Vaultinum’s proprietary analysis tools, running in a dedicated isolated environment. No human has access to the source code at any stage. This allows technical indicators to be extracted while keeping the code fully confidential.
With controlled infrastructure, strict access management and automated processing, source code is handled in line with ISO 27001 requirements and industry standards.
This approach gives investors a clear and reliable view of the technology, while ensuring that the company’s intellectual property remains protected throughout the tech due diligence.
Disclaimer
The opinions, presentations, figures and estimates set forth on the website including in the blog are for informational purposes only and should not be construed as legal advice. For legal advice you should contact a legal professional in your jurisdiction.
The use of any content on this website, including in this blog, for any commercial purposes, including resale, is prohibited, unless permission is first obtained from Vaultinum. Request for permission should state the purpose and the extent of the reproduction. For non-commercial purposes, all material in this publication may be freely quoted or reprinted, but acknowledgement is required, together with a link to this website.
