Questions, answered
Plain English. Honest. No jargon. If your question isn't here, email hello@securie.ai and we'll answer within a business day.
I don't know what any of this security stuff means. Can I still use Securie?
Yes — that's who Securie is for. Every finding is written in plain English. Example: 'Your checkout page lets other people read Jane's orders. Click Merge to fix.' If you can read that sentence, you can use Securie.
Will Securie break my Lovable / Bolt / v0 app?
No. Securie reads your code — it doesn't run it. We never change your code without your explicit approval. Every fix is a proposal (a pull request) that you choose to merge or ignore.
I didn't write any of my code. AI wrote it. Does that matter?
It means you need Securie more, not less. AI-generated code often ships working features faster than it ships the security checks around them. Securie is built for AI-assisted codebases and still reviews the human-written parts of the app.
My app only has 20 users. Do I really need this?
Honestly, if it's truly a hobby with no payments and no personal data, you can wait. But if even one user pays you or trusts you with their data, the moment you get 'hacked' costs more than a year of Securie. Public OSS free removes the decision.
Will this cost me money later?
Public OSS can start free with capped verification, a public badge, and a public verification page. Private repos use managed Securie plans for private evidence, deeper proof runs, verified fix PRs, deploy gates, and support.
What does managed access mean? Am I a test subject?
No. Managed access means we route each repo to the right path and keep review quality reliable. Public OSS can start free with hard caps; private repos use paid plans with private evidence, proof runs, verified fixes, and deploy gates.
What if Securie finds something and I don't understand it?
Every finding has a plain-English explanation and a suggested fix. If you still don't understand, you can ask us directly — paid tiers include founder-to-founder Slack access.
What if I'm not sure whether to merge a fix?
Don't merge it. Every proposed fix sits as an open pull request until you're comfortable. You can also reply to the PR with a question and we'll walk you through it.
Do you read my code? Does my code leave my computer?
We read your code to analyze it, yes — Securie reads it inside a sealed secure environment you can verify remotely. On enterprise plans, the analysis runs inside your own cloud account. Your code never ends up in a training dataset.
Will Securie make my app slower?
No. Securie runs outside your app (on GitHub / Vercel, at code-review time). It never runs inside your production runtime. Your users never notice Securie is there.
Can I uninstall Securie if I change my mind?
Yes. One click in GitHub / Vercel settings. We stop watching your repo and your account data is deleted within 30 days. No lock-in.
My Stripe account is already PCI-compliant. Do I still need Securie?
Stripe handles payment-card compliance. Securie handles the rest of your app: leaked keys, database misconfigurations, broken logins, AI-feature bugs, and the 95% of security that isn't payment-related.
I already use Vanta. Do I still need Securie?
Vanta is a GRC platform — it tracks your compliance program. Securie is a dev tool — it scans, proves, and auto-fixes vulnerabilities in your code. Different categories; the two tools cover different jobs.
What's the difference between Securie and ChatGPT doing a code review?
ChatGPT is a general-purpose model that will tell you what it sees in the code you paste. Securie runs specialized security models, verifies findings by actually running the exploit in a sandbox, and opens a pull request with a tested fix. It's the difference between asking a friend for health advice and going to a doctor.
Isn't Snyk / Github Advanced Security / Semgrep good enough?
They can work for teams that already have engineers triaging security queues and applying fixes. Fast-moving teams need a different workflow: plain-English findings, exploit proof where possible, proposed fixes, and evidence in the PR. Securie is designed for that loop.
My co-founder handles the tech side. Should we both use Securie?
Add your co-founder as a collaborator. They see the code-level detail. You see the plain-English summary. Same installation, different views.
I want to understand what I'm missing. Can Securie teach me?
Yes. Every finding explains the concept. After 3 months using Securie, most founders can intuit common security patterns. It's an education by osmosis, and you can dive deeper into the guide linked on each finding.
Will Securie help me with SOC 2 / GDPR / HIPAA?
Yes. Securie produces evidence that maps directly to SOC 2 controls, GDPR Article 32 (security measures), and HIPAA Security Rule. Start with /checklist/soc2-startup-checklist, /guides/gdpr-for-indie-saas, and /guides/hipaa-for-startups.
I'm not in the US. Does Securie work for me?
Yes. We have customers on every continent. Our compliance coverage includes EU (GDPR + AI Act), UK, Canada, Australia, Brazil, India, Singapore, and others. See /regions for your specific country.
How long until I see results?
Public OSS can start on the capped verification path. Private repos are enabled through managed plans so proof runs, verified fixes, and evidence stay reliable. Once your repo is enabled, clean PR reviews are designed to complete in minutes and findings surface in the normal review flow.
What if I can't install Securie right now?
Request access at /scan. Until your repo is enabled, you can check Supabase yourself in Studio -> Authentication -> Policies; every user-data table should have RLS ON.
Who runs Securie? Is this a real company?
Securie is a Delaware C-corp. We publish a public AI Bill of Materials at /ai-bill-of-materials and security policies under /legal.
I'm a developer — does Securie also work for me?
Yes. Senior devs appreciate the sandbox-verified findings (no false positives) and the auto-fix PRs (saves time). We built Securie to be useful for both non-technical founders AND experienced developers.
What is MCP and do I need to worry about it?
MCP (Model Context Protocol) is the protocol AI agents like Claude + Cursor use to call external tools. April 2026 wave hit 200,000+ MCP servers with a design-level RCE flaw. If your agent connects to MCP servers, yes — Securie's MCP trust-enforcement layer handles it.
Will Securie's GitHub App slow down my Cursor / Claude Code workflow?
No. Securie runs on the GitHub side (after you push). It doesn't slow down your editor. PR review takes 30-90 seconds in parallel with your code review.
Does Securie know about the Lovable BOLA April 2026 breach?
Yes — see /incidents/lovable-bola-april-2026. The same RLS-missing pattern is exactly what Securie's Supabase RLS specialist catches before merge.
What's the EU AI Act and does my AI SaaS need to comply?
EU regulation enforced August 2 2026 for high-risk AI systems. Most consumer AI SaaS is NOT high-risk; products in employment / education / credit scoring / law enforcement / biometrics ARE. See /safe/is-my-ai-saas-high-risk-under-eu-ai-act.
Can Securie scan my Cursor agent's autonomous edits?
Yes — Securie reviews every PR Cursor pushes. The compile-time scope guard also enforces compile-time guards on what destructive operations the agent can perform.
What happens if I leave my .claude/settings.local.json in my repo?
Per Lakera April 2026 study: 8% of npm packages with this file had live credentials. Bitwarden CLI hijack actively hunted these paths. Add `.claude/`, `.cursor/`, `.continue/` to .gitignore + .npmignore. Securie's secrets specialist catches missed cases at PR time.
Can Securie's offensive swarm find bugs my customers won't see?
Yes. Autonomous Pentest / White-hat is a scoped package that runs offensive testing against approved targets or sandboxed copies of your app, then produces a report, proof, remediation guidance, and a retest window.