Application data privacy - avoid data leaks.

Gain continuous visibility into your sensitive data usage and leaks originating from the source code.

Don't wait to find your sensitive data leaked in production, it's free!


Scan your source code


Connect the Piiano Flows to your online code repository in a click. Or use our CLI tool.


Piiano Flows analyzes your source code and tracks sensitive data.


Get recommendations based on data flows and identified risks.

Why Piiano flows

Follow the data, continuously and proactively while it's still inexpensive to fix bugs.

Piiano Flows is a privacy code scanner that statically analyzes source code. It connects to your online source code repository or runs in a CLI. It lets you track, reveal and learn about your application's sensitive data usage and leaks.

Data Visibility

Get to know your sensitive data posture, how data is received, shared, stored or leaked.


Learn what's going on based on our insights. Take smart decisions.


Stop chasing engineers. Be notified about sensitive code changes.


Scan your applications on a daily basis, it takes minutes.


Understand how to secure your data in the code.


Accelerate implementation and assessment of GDPR/CCPA/HIPAA/PCI-DSS.

finding types

Piiano Flows shows rich results that will save you months.

Piiano Flows analyzes the source code and comes up with many different types of findings. It looks for how sensitive data flows inside your application, where it's stored, how it arrives, where it goes, and more.

PII Data Leaks

Piiano DSPM scans for logging APIs and will flag them for you, showing a full traceback of the data flow.

PII Via Inbound APIs

Piiano DSPM scans for PII data received by RESTful APIs.

PII Sharing Via Outbound APIs

Piiano DSPM scans for PII data being shared via external SDKs and APIs

Persistent PII in Databases

Piiano DSPM scans for PII data being stored persistently into tables in databases.


Accelerate your auditing process with automatic sensitive data discovery

Source Code Based

Connect your Github repository in a click. Or run our CLI tool. Anyway, we don't access your production data.

Sensitive Data Centric

Focus on PII and other sensitive data fields in the code.

Risks & Insights

Learn about identified data risks and how to fix them.


Start work with the results within minutes.


Get full and accurate coverage by our proprietary NLP ML model.


Prioritize your work, see everything in an organized and a clear way.

Questions & Answers

Everything you need to know about Piiano Flows is right here.

Where to start?

Before scanning your own repository, you can take a look at public repositories that we pre-scanned and get a closer look at our product and the value it provides. Alternatively, just hit the “New Scan” button, enter your GitHub repo’s URL, and click “Add Scan.”

How can I scan my repository?

You can scan a repository online or with our CLI tool.

  1. We support scanning both public and private GIT repositories.
  2. Support for public GIT repositories is limited (for security reasons) to the following vendors list:
    - GitHub (
    - GitLab (
    - BitBucket (
    - AWS Code commit (git-codecommit.<region>
    - Source forge (
    - Microsoft Azure GIT (
    - Assembla (
  3. We support private GitHub repositories too. To work with private GitHub repositories, you will be asked to approve our access. We do not support private repositories from non-GitHub vendors (such as the ones listed above). Please note that access to a private organizational repository will require the approval of an organization owner. To request approval, click the “Request” button on the app authorization page.

Note - We do not support uploading code.

How long does it take to scan a repository?

It usually takes a few minutes to scan regular repositories and up to 15 minutes or more to scan larger repositories.

Some scans take longer or don’t return any useful reports. What should I do?

If you scan a big project, it might take a while longer. However, if there are no results or you suspect an error, we appreciate it if you would report a bug, and we will investigate it. Make sure your selected repository’s code is written in the supported programming languages.

What are the supported programming languages?

We support scanning Java projects only. Ruby and Golang are coming soon. If you want us to support an additional language, please contact us and let us know.

How does this technology work?

Our technology relies on static code analysis algorithms and innovative NLP AI algorithms.

What should I do if I want to use Piiano Flows without sharing the source code with Piiano?

Piiano Flows also supports running offline without sharing your code with us. In this case, it runs as a standalone docker container and can be deployed anywhere easily. Contact us to discuss pricing and terms.

Can the scanning results be shared with others?

Sure. On the “All Scans” page, click the three dots next to the “View Scan” button of the scan you want to share, and then click the “Share” option. Copy the URL and share it via email, Slack, or any other medium. Sharing the scanning results will not share your entire source code, only code fragments around the findings.

What is a code scanner?

A code scanner tool that statically analyzes and scans your source code to identify references to and usages of sensitive data. It is helpful in order to get visibility (sensitive data posture) into privacy violations, such as PII leaks, and track relevant code changes over time.

Why do I need to scan my code?

Piiano Flows lets you find references to PII and other customers’ sensitive data in your source code in minutes instead of weeks of manual work. Knowing which sensitive data types your application collects is necessary for the following tasks:

  1. You want to improve the security of sensitive data, and you aren’t 100% sure which customers’ sensitive data your application collects.
    You’re building a data catalog, and you want to quickly identify all the customers’ sensitive data that your application collects.
  2. You’re conducting a PIA (Privacy Impact Assessment) or DPIA (Data Protection Impact Assessment), and you want to identify customers’ sensitive data within your source code to understand the risk and mitigate it.

What information will I get by scanning my repository?

Piiano Flows will provide you:

  1. A list of log leaks! Log leaks are lines of code where the application writes sensitive data to external logs. This creates an exposure risk for your clients and your company and should be avoided. Not to mention that it violates privacy compliance, where you should be able to control all sensitive data. You can use these insights to make sure that the log level that is used is “debug” and not production, or remove/obfuscate identifiers before they’re logged.
  2. A list of customers’ sensitive data types (PII/PCI/PHI) that the application collects, together with the sensitivity level for each type; e.g., it will identify the collection and usage of names, addresses, emails, bank account numbers, passwords, phone numbers, SSNs, credit card numbers, and many more.
  3. For each type of sensitive customer data, it will show you its declaration (class member) and all its usages within your code, together with code snippets and links to your GIT. Knowing which sensitive data the application collects is the first step towards hardening security and privacy. This can be achieved using Piiano Vault.
  4. A list of 3rd-party API calls that will help you ensure that sensitive data is shared only with companies that are compliant with relevant privacy regulations, such as GDPR and CCPA, and that customers’ consent is honored in the relevant cases in the code.

Accelerating privacy impact assessments (PIA/DPIA) with Piiano Flows​

Piiano Flows can speed up both PIA (Privacy Impact Assessment) and DPIA (Data Protection Impact Assessment) processes by:

  1. Identifying which PII types your organization collects.​
  2. Ensuring the collection of necessary PIIs is in line with your stated policy.
  3. Identifying with which 3rd party vendors you share PIIs and verifying their compliance.

Once the Piiano Flows provides visibility into the risk that comes with the liability of collecting PIIs, you can start protecting this data with our vault. The Piiano Vault provides the ability to securely store the collected PIIs and simplify the compliance implementation for this data.

Data cataloging with Piiano Flows

Data catalogs help data users make better-informed decisions about their organization’s data usage, detailing what data types are stored, where they are, how they are kept and who has access to them, among other things. Data catalog software typically includes a data discovery tool and a data classification tool which require access to production environments.

  1. Supplementing existing data catalogs as a primary code discovery tool that focuses on sensitive customer data, such as PII, PHI, and PCI.
  2. Jump-starting an organization’s entire understanding of sensitive customer data usage and privacy posture.

The Piiano Flows allows you to perform PII usage discovery in minutes, using only a connection to your GitHub repo.

How much does it cost to use Piiano Flows?

Piiano Flows is currently completely free for online scans.
For offline scans, you will have to contact us.

Am I limited in any way using Piiano Flows?

  1. Every user can issue a single scan at a time. An existing scan must be completed or canceled to issue a new one.
  2. Every user can create up to 10 scans a week. It could be either for different repositories or multiple scans for the same repository (useful when the code has changed).

Contact us if you require multiple scans in parallel or additional scans per week.

How long will my scan results be saved?

Your scan results will be saved for 30 days. After this time, they will be deleted automatically. If needed, you can rescan your repository.

What do you do with my source code and data?

  1. First and foremost – we use it to provide you with the report.
  2. Every time you scan your repository, we fetch the code by git-cloning it, scanning it, and immediately deleting it.
  3. We only keep some code fragments to improve our product and service. These are what you see when you expand the findings (in the scan’s table) to see a few lines of source code related to each sensitive data. This is never shared with anyone and is used to improve and diagnose our systems.

Do you share my code and data with anyone?

No. Never. Your code will always belong to you. We never share it in any way or sell it. Our business model is based on a free tier, license, and usage payments. Your email address will be only used to send you product-related emails, and you can unsubscribe if you want.

How secure is your system?

  1. We are SOC2 compliant. We incorporated a whole SSDLC paradigm to develop this tool; therefore, we have a strict security-by-design model. Each scan happens inside an isolated container, always disconnected from other customers’ data. We already have an external contractor doing pentest for this tool, and we’re good.
  2. We actively monitor our systems for security and general issues.
  3. In previous roles, Piiano’s founding team was responsible for the SSDLC and oversaw 700 engineers. We live and breathe security.
  4. If you find security bugs, please email us at We give small awards to legit vulnerability reports.

Why should I trust you with my source code?

We are a recognized team of cybersecurity experts. We love privacy and security and do our best to help companies out there know and protect their sensitive data 10x better. We’re proudly backed by one of the most notable cybersecurity VCs in the world, YL Ventures. You can read more about us here. We’re based in Tel Aviv, Israel.

How do I ensure you don’t have access to my repository anymore?

  1. The access tokens are valid for only 8 hours.
  2. If you disable your account, we will delete these keys immediately.

Where do I report bugs, errors, or just honest feedback?

We’re happy that you care so much about helping us improve our product. Please contact us. We promise to answer!


Didn’t find the answer you are looking for? Contact our support

Contact us

Recent posts

Learn more about securing cloud applications

We are security experts that love writing how to practically and pragmatically secure cloud applications. You will find many tips and gems in our posts.

click for more knowledge

Get instant visibility into sensitive data exposure in your application

We support scanning of Java repositories only.
Ruby and Golang are coming soon, stay tuned!

You agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.