This Security Policy outlines the measures we take to protect you and your stakeholders when you use (the “Website”). helps you pass security audits's core goal is to give our users a systematic way to evaluate the quality of their code. To pass security audits (such as SOC 2 Type II), you can use as a core system to ensure systems and performance are consistent.

By leveraging our industry-leading caching system, you can populate a database with an anonymized dump of production data in seconds at the beginning of your builds. This allows you to ensure that proposed changes will maintain data integrity and pass any necessary security gates. lets you integrate with any software that you want, so it's easy to integrate us with industry-leading security scanners such as Snyk, Vectrix, and SonarQube

The data we store

Personally Identifiable Information

We store certain Personally Identifiable Information when you register for This information consists of:

  1. Your full name
  2. Your phone number (for billing purposes)
  3. Authorizations to perform actions on your behalf on our integration partners (e.g., GitHub and Slack)
  4. Your Emails (which we use for support & marketing, in an opt-out manner)
  5. A link to your avatar (hosted on a third party site)
  6. Metadata such as the pages you visit and the actions you perform on the Website

We do not store any passwords or password hashes. Authentication is done entirely through third party providers when you log in.
We do not store any payment card information. Our payments are processed by Stripe, a PCI-compliant payment processor.

Source code

From the point that you install to the point that you uninstall it, we may store a locally cached copy of any repositories for which you request we start CI runs for.
This local copy is only accessible by authorized employees of, and our hosting provider.

Secrets allows you to store secret values in a special section of the run dashboard and expose them with the SECRET ENV directive.

These secrets are encrypted at rest with military-grade AES256. They are only accessible by administrators of your account and authorized employees of

Staging servers

Staging servers exposed through EXPOSE WEBSITE have no authentication mechanism built-in, besides the unguessable URL link. It's your prerogative to ensure that no sensitive data is exposed inadvertently by posting a link to the staging server, or creating a route to the staging server.

To maximize safety, we recommend not putting any sensitive information on any server exposed by EXPOSE WEBSITE.

Staging servers which are not exposed by any directive are not accessible except for by agents which you authorize to access your repository. We ask your SCM provider (e.g., GitHub, BitBucket) whether a specified user has access to a repository to determine if they should have access to a staging server.

Authorized employees

Only authorized employees of are given access to our production servers. These employees are senior engineering leaders and executives of, which have been thoroughly vetted.

Our hosting provider

We run our entire stack and store all of our data on resources provided by OVH, a multinational cloud provider.

Our hosting provider has the following certifications:

  • ISO 27001
  • SOC 1 Type II
  • SOC 2 Type II
  • EBA