We don't ask you to trust us. We give you proof.

The problem

Source code is the most sensitive asset in any software transaction.

When you hand over a codebase for due diligence, you're trusting the analyst with your company's core intellectual property — trade secrets, proprietary algorithms, security architecture, and business logic.

Most due diligence providers ask you to take their word that your code was handled responsibly. They might have an NDA and a verbal assurance. But you have no way to verify what actually happened — when your code was accessed, what was done with it, or whether it was truly deleted afterwards.

Polaris eliminates that trust gap entirely.

Tamper-evident audit trail

Every event recorded. Every record linked. Nothing can be altered.

From the moment your repository is received to the moment it is permanently destroyed, every event in the analysis lifecycle is recorded in a SHA-256 hash chain.

How it works

Each event — code received, scanner executed, report generated, code deleted — is hashed using SHA-256. Critically, each hash incorporates the hash of the previous event. This means altering any single record invalidates every subsequent hash in the chain.

What gets recorded

• Repository received — timestamp, size, source
• Each scanner execution — scanner name, duration, finding count
• Report generation — timestamp, duration, section count
• Repository deletion — timestamp, deletion method
• All client data purged — confirmation that no source code remains on any system

A typical engagement records 35–40 chained events. Any tampering — even changing a single character in a single event — is immediately detectable by recomputing the hash chain.

Blockchain anchoring

Timestamped on the Bitcoin network. No trust in Polaris required.

After the audit trail is complete, the chain tip hash is submitted to the Bitcoin blockchain via OpenTimestamps — an open, independently verifiable timestamping protocol used by archivists, legal professionals, and security researchers worldwide.

What this proves

• The audit trail existed at the stated time — cryptographically provable, not just our word
• The audit trail has not been modified since it was timestamped — any change invalidates the proof
• Verification is fully independent — you can verify using open-source tools without contacting Polaris

Why Bitcoin?

The Bitcoin blockchain is the most widely distributed, immutable ledger available. A timestamp anchored to it cannot be forged, backdated, or revoked — by Polaris or by anyone else. Unlike proprietary timestamping services, OpenTimestamps is open-source, free to verify, and will remain functional for as long as the Bitcoin network exists.

What you receive

• The complete audit trail JSON file with every hash-chained event
• An .ots proof file — the cryptographic receipt linking the audit trail to the Bitcoin blockchain
• Verification instructions — check the proof yourself using ots verify at opentimestamps.org

Data lifecycle

Received. Analysed. Deleted. Proven.

Your source code follows a strict, auditable lifecycle. Every stage is hash-chained and independently verifiable.

No long-term storage

Client source code is never stored beyond the analysis window. Once the report is generated, the repository is permanently deleted from all systems. The audit trail — which contains no source code, only metadata and hashes — is the sole record that the engagement occurred.

What stays, what goes

• Deleted: all client source code, cloned repositories, intermediate analysis artefacts
• Retained: the final report (PDF), the audit trail (JSON + OTS proof), and the Data Handling Certificate (HTML) — none of which contain source code

Infrastructure

Isolated by design. Not shared, not cloud-default.

Analysis runs on dedicated infrastructure that is purpose-built for handling sensitive source code.

Infrastructure principles

• Dedicated hardware — analysis runs on infrastructure reserved for Polaris engagements, not shared multi-tenant cloud instances
• Network isolation — the analysis environment is restricted to only the network access required for repository cloning and vulnerability database updates
• Full-disk encryption — all storage is encrypted at rest using LUKS, protecting data even in the event of physical theft
• No third-party data sharing — your source code is never sent to external APIs, cloud AI services, or third-party analysis tools. All 16 scanners run locally
• Minimal retention — source code exists on the system only for the duration of the analysis, typically under one hour

Our methodology

Deterministic scanners, not AI guesswork.

A growing number of "code analysis" tools are thin wrappers around large language models — they paste your source code into ChatGPT or a similar service and return whatever the model generates. This is fundamentally unsuitable for due diligence. Here's why.

AI models guess. Scanners prove.

A language model works by predicting the most likely next word. It doesn't execute your code, parse your dependency tree, or query vulnerability databases. It pattern-matches against its training data — which means it can confidently state that a vulnerability exists when it doesn't, or miss a critical one entirely because it doesn't resemble anything in its training set. In due diligence, a false positive can derail a deal; a false negative can let a material risk through undetected.

Same code, same result. Every time.

Ask a language model to analyse the same codebase twice and you will get two different answers — different findings, different severity ratings, different conclusions. This is inherent to how they work, not a bug that can be fixed. Polaris scanners are deterministic: the same code produces the same findings, the same ratings, and the same report every time. This is essential when findings need to withstand legal scrutiny or inform underwriting decisions.

Your code stays on our infrastructure. Full stop.

AI-wrapper tools send your source code — your company's most sensitive intellectual property — to third-party cloud APIs for processing. You have no control over how it's stored, cached, logged, or used for model training. Polaris runs all 16 scanners locally on dedicated, isolated infrastructure. Your code never leaves the analysis environment and is never transmitted to any external service.

Real tools reading real data

Each of our 16 scanners performs a specific, well-defined analysis task using purpose-built logic — not a prompt. For example:

• Dependency scanner — parses actual package manifests (package.json, requirements.txt, pom.xml, go.mod) and cross-references every dependency against the National Vulnerability Database. Not guessing from code patterns — reading the declared dependencies and checking them against known CVEs.
• Secret scanner — applies calibrated pattern matching and entropy analysis to detect exposed credentials, API keys, and tokens. Validated against known secret formats with tuned false-positive suppression — not an AI's opinion on whether something "looks like" a key.
• Licence scanner — reads actual licence files and headers to determine the legal terms governing every dependency. Licence compliance is binary — a library is either GPL-licensed or it isn't. An AI approximation is legally worthless.
• Git history analysis — reads the actual commit log to calculate contributor concentration, commit frequency, and maintenance recency. Factual data from the repository itself, not inferred from code style.

Why this matters for your decision

Due diligence exists to reduce uncertainty. A tool that introduces its own uncertainty — through hallucination, non-determinism, and uncontrolled data handling — defeats the purpose. Every finding in a Polaris report can be traced back to a specific scanner, a specific data source, and a specific rule. Nothing is inferred, estimated, or imagined.

Certificate

Every report ships with a Data Handling Certificate.

The Data Handling Certificate is a standalone document that summarises the chain of custody for your engagement. It is designed to be shared with stakeholders — investors, legal teams, compliance officers — as evidence of responsible data handling.

What the certificate shows

• Chain of Custody timeline — every lifecycle event with UTC timestamps: code received, each scanner executed, report generated, code deleted, data purged
• Cryptographic verification — audit trail version, event count, hash algorithm, chain tip hash, chain integrity status
• Bitcoin anchor reference — confirmation that the audit trail is anchored to the Bitcoin blockchain with OpenTimestamps, with a link to independent verification

You can view real Data Handling Certificates from our sample engagements on the Sample Reports page.

Verification

Verify everything yourself. You don't need us.

The entire system is designed so that you — or any third party — can independently verify every claim without contacting Polaris.

How to verify a Polaris engagement

• Obtain the audit trail JSON file and .ots proof file from Polaris (delivered with every report)
• Verify the hash chain: recompute SHA-256 hashes from each event's data and confirm that each event's hash incorporates the previous event's hash. Any broken link means the trail has been tampered with.
• Verify the Bitcoin timestamp: use ots verify (available at opentimestamps.org) to confirm the audit trail was anchored to the Bitcoin blockchain at the stated time
• Check the chain tip: the final hash in the audit trail must match the hash that was timestamped. Any modification to the audit trail after timestamping will cause verification to fail.

No proprietary tools, no Polaris login, no trust assumptions. The cryptography speaks for itself.