Codebase security
Last updated: Oct 15, 2025
Dessn takes the security of your code very seriously. We require read-only access to your codebase because we genuinely believe that this is the best way to solve the problem. Prod is the source of truth of your product, and bringing non-devs into that environment will enable you to move much faster and better.
Here are some details about how we handle your codebase:
When you connect a repository, Dessn’s control plane requests only the scoped access you approve (usually read-only). That token is stored securely and can be revoked by you at any time.
For each project or session, Dessn launches an isolated microVM. This VM receives a short-lived credential and performs the entire workflow inside that sandbox: cloning your repo, installing dependencies, running setup, and compiling. The clone lives only inside the microVM’s ephemeral filesystem and is never copied to shared storage.
When the agent needs reasoning help, the VM sends only the minimal code snippets or context required to the Amazon Bedrock API, which is configured for zero data retention. No full repo is ever transmitted, and none of your code is used for model training.
As the VM works, it sends back derived metadata only (like component structures, tokens, and prototype definitions) to the Dessn control plane. Your raw code never leaves the VM. The microVM can be destroyed at any time, wiping its entire filesystem.
This setup ensures your repository remains isolated, access is scoped and controlled, and no persistent copy of your code exists anywhere outside the ephemeral VM.
Last updated: Oct 15, 2025
Dessn takes the security of your code very seriously. We require read-only access to your codebase because we genuinely believe that this is the best way to solve the problem.
Here are some details about how we handle your codebase:
When you connect a repository, Dessn’s control plane requests only the scoped access you approve (usually read-only). That token is stored securely and can be revoked by you at any time.
For each project or session, Dessn launches an isolated microVM. This VM receives a short-lived credential and performs the entire workflow inside that sandbox: cloning your repo, installing dependencies, running setup, and compiling. The clone lives only inside the microVM’s ephemeral filesystem and is never copied to shared storage.
When the agent needs reasoning help, the VM sends only the minimal code snippets or context required to the Amazon Bedrock API, which is configured for zero data retention. No full repo is ever transmitted, and none of your code is used for model training.
As the VM works, it sends back derived metadata only (like component structures, tokens, and prototype definitions) to the Dessn control plane. Your raw code never leaves the VM. The microVM can be destroyed at any time, wiping its entire filesystem.
This setup ensures your repository remains isolated, access is scoped and controlled, and no persistent copy of your code exists anywhere outside the ephemeral VM.
Production, in your hands.
Born in montréal, growing in london.
Production, in your hands.
Born in montréal, growing in london.
Production, in your hands.
Born in montréal, growing in london.