Security & Privacy

At CodePulse, security isn't an afterthought - it's foundational to everything we build. We understand that engineering leaders are entrusting us with sensitive information about their teams and processes. We take that responsibility seriously.

Our approach is simple: request only what we need, encrypt everything, and give you full control over your data at all times.

All data is stored in PostgreSQL databases with strict multi-tenant isolation. Each organization's data is completely separated at the database level using organization-specific filtering on every query.

Encryption: - Data at rest: AES-256 encryption via Fernet - GitHub tokens: Encrypted separately from application data - Data in transit: TLS 1.3 for all connections - Database connections: Encrypted and authenticated

Infrastructure: - Hosted on secure, SOC 2 compliant cloud infrastructure - Regular automated backups with encryption - Network isolation between components - No direct database access - all queries go through authenticated APIs

You maintain full control over your data at all times:

Export: Download all your organization's data as CSV files at any time from the dashboard. Every metric, every data point - it's yours.

Delete: One-click deletion of all your organization's data from Settings. Once deleted, data is permanently removed from our systems and backups within 30 days.

Revoke Access: You can revoke CodePulse's GitHub access at any time: 1. Go to GitHub → Settings → Applications → Authorized OAuth Apps 2. Find CodePulse and click "Revoke" 3. We immediately lose access to your repositories

Modify Scope: Add or remove repositories from analysis at any time. We only sync data from repositories you explicitly choose.

We do NOT sell your data. Ever. Our business model is software subscriptions, not data brokering.

We do NOT share your data with third parties for marketing or advertising purposes.

Limited third-party services: - Cloud hosting provider (for infrastructure) - Error monitoring (anonymized error reports only)

All third-party providers are vetted for security compliance and bound by data processing agreements.

Authentication: - GitHub OAuth 2.0 - we never see your GitHub password - Short-lived JWT access tokens (30-minute expiry) - Automatic token refresh with secure refresh tokens - Session invalidation on logout

Application Security: - SQL injection prevention via parameterized queries (SQLAlchemy ORM) - XSS prevention through React's built-in escaping - CSRF protection on all state-changing operations - Rate limiting on authentication endpoints - Input validation on all API endpoints

Development Practices: - Regular dependency updates and security patches - Code review required for all changes - Automated security scanning in CI/CD - Principle of least privilege for all access

GDPR Compliant: - Right to access: Export all your data anytime - Right to deletion: Delete all data with one click - Right to portability: CSV export of all metrics - Data minimization: We only collect what we need

GitHub OAuth Scopes: We request minimal OAuth scopes: - read:user - Basic profile information - read:org - List organizations you belong to - repo (read-only) - Access to repository metadata

We specifically do NOT request: - write permissions of any kind - delete permissions - admin permissions

SOC 2 Type II: We are actively working toward SOC 2 Type II certification. Contact us for our current security documentation and compliance roadmap.