Security at CommitFlow
Your code stays yours. Here's how we protect your data, your repositories, and your trust.
Read-Only GitHub Access
CommitFlow requests minimal OAuth scopes (read-only repository access). We cannot modify your code, create commits, or push to your repositories.
Encrypted Tokens
All API keys, webhook secrets, and OAuth tokens are encrypted at rest using AES-256-GCM. Encryption keys are never logged or exposed.
No Code Storage
We do not store your source code. CommitFlow reads commit metadata (messages, authors, timestamps) and never clones or mirrors your repository.
SOC 2 Compliance (In Progress)
We are actively pursuing SOC 2 Type I certification. Our infrastructure already follows SOC 2-aligned security practices including audit logging, access controls, and change management.
GDPR Compliant
User data is stored in EU data centers. We support data export and deletion requests. Personal data is never shared with third parties.
Infrastructure Security
Hosted on Vercel and Supabase — both SOC 2 certified. All traffic is encrypted via HTTPS/TLS 1.3. Database backups run daily with 30-day retention.
Report a vulnerability
If you discover a security issue, please email us at security@commitflow.org. We respond within 24 hours.