Skip to main content

Security & Compliance

Your code stays your code

We take the security of your source code seriously. Here's exactly how we protect it, the compliance standards we meet, and the ones we're working toward.

SOC 2 Type II

Roadmap

GDPR

Roadmap

CCPA

Roadmap

ISO 27001

Roadmap

How we protect your data

Encryption at rest & in transit

All data is encrypted with AES-256 at rest in our database and vector store. All network traffic uses TLS 1.3.

Read-only repository access

We only request the minimum scopes needed to read your code. We never request write access, issue creation, or modification permissions.

Zero-retention AI inference

Queries to Anthropic Claude use zero data retention — your code is never logged, used for training, or kept after the response returns.

HMAC-verified webhooks

GitHub webhooks are verified with HMAC-SHA256 signatures and idempotency keys — no forged events can trigger re-indexing.

Audit logs (Team plan)

Every auth event, member change, repo access, and admin action is logged with user, IP, timestamp, and user-agent. Exportable as CSV.

Role-based access control

Team workspaces support three roles (owner / admin / member) with granular permission boundaries. SSO via SAML and OIDC available on Team plans.

Your data's journey

Complete transparency into where your code goes and what we do with it.

  1. 1

    You connect a repository

    We request read-only access via GitHub OAuth. You can revoke access at any time from GitHub's settings.

  2. 2

    Code is indexed on our infrastructure

    We use local sentence-transformers embeddings — your code is never sent to third-party embedding APIs. Vectors are stored in our encrypted ChromaDB instance.

  3. 3

    Questions trigger AI queries

    When you ask a question, we send only the most relevant code snippets (not your whole repo) to Anthropic Claude. These snippets are processed under Anthropic's zero-retention policy — nothing is used for model training.

  4. 4

    Delete anytime, all data purged

    When you delete a repo, all indexed content, embeddings, chat history, and cached reports are permanently removed within 30 days.

Responsible disclosure

Found a security issue? We'd love to hear from you. Report vulnerabilities to security@repoinsight.ai. We respond within 24 hours and fix verified issues within 72 hours for critical severity.

We maintain a security.txt file at /.well-known/security.txt per RFC 9116.

Last updated: January 2026 · Questions about enterprise compliance? Contact sales