Security & Data Protection

🔒 Data Security

What Data We Collect

• GitHub Account Information: Username, email, avatar (via OAuth)
• Repository Metadata: Repo names, descriptions, commit messages (never your source code)
• AI Summaries: Generated summaries of your commit activity (cached for 7-30 days)
• Subscription Data: Stripe customer ID, subscription status, payment method (via Stripe)
• Usage Data: Which tools you use, when, basic analytics

What We DON'T Collect

• ❌ Your source code (we only read commit messages and repo metadata)
• ❌ Your GitHub password (we use secure OAuth)
• ❌ Payment card details (handled entirely by Stripe)
• ❌ Unnecessary tracking or analytics

How We Protect Your Data

• Encryption in Transit: All data transmitted over HTTPS/TLS 1.3
• Encryption at Rest: Database encrypted at rest (MongoDB Atlas encryption)
• API Keys: Your AI provider keys (Claude, OpenAI, Gemini) are encrypted using AES-256 before storage
• GitHub Access: OAuth tokens stored securely, scoped to minimum required permissions
• Payment Security: PCI-DSS compliant payment processing via Stripe (we never see your card)
• Session Security: Secure, HTTP-only cookies with strict same-site policies

🏗️ Infrastructure & Hosting

Where Your Data Lives

• Application Hosting: Vercel (US region) - SOC 2 Type II certified
• Database: MongoDB Atlas (US region) - SOC 2, ISO 27001 certified
• Payment Processing: Stripe - PCI Level 1 certified
• AI Processing: Anthropic (Claude), OpenAI, Google (Gemini) - varies by your choice

Backups

• Database Backups: Automated daily backups via MongoDB Atlas (retained for 7 days)
• Point-in-Time Recovery: Available for last 24 hours
• Disaster Recovery: Full database restoration capability within 4 hours

👤 Access Controls

Who Has Access to Your Data

• You: Full control via dashboard and API
• RepoSweeper Developer (Solo): Database access for maintenance and support only
• Third-Party Services:
  • Vercel: Hosting platform (no data access)
  • MongoDB Atlas: Database provider (infrastructure only)
  • Stripe: Payment processing (payment data only)
  • AI Providers: Only commit messages you choose to analyze

Admin Access Policy

• Database access requires 2FA authentication
• All admin actions are logged
• Customer data accessed only for support requests or critical issues
• No routine browsing of customer repositories or data

🔐 Authentication & Authorization

How You Log In

• GitHub OAuth: Secure authentication via GitHub (no password storage)
• Session Management: Secure sessions with automatic expiration
• Token Scoping: Minimal GitHub permissions requested (repo metadata, commit read-only)

API Security

• Rate limiting to prevent abuse (100 requests/minute per user)
• Request validation and sanitization
• CORS policies to prevent unauthorized access

🚨 Incident Response

Our Commitment

As a solo developer, I take personal responsibility for security. If something goes wrong, here's what happens:

Incident Response Process

1. Detection: Automated monitoring + manual daily checks
2. Assessment: Determine severity and scope within 2 hours
3. Containment: Stop the issue from spreading (immediate action)
4. Communication:
   • Critical issues: Email all affected users within 4 hours
   • Minor issues: Status page update + post-mortem after resolution
5. Resolution: Fix the root cause and deploy within 24 hours
6. Post-Mortem: Document what happened and how we'll prevent it

Security Contact

Found a security vulnerability? Please email [email protected] immediately. We'll respond within 24 hours and work with you to resolve it.

🛡️ Vulnerability Management

How We Stay Secure

• Dependency Updates: Automated weekly scans for vulnerable packages (GitHub Dependabot)
• Security Patches: Critical vulnerabilities patched within 48 hours
• Code Reviews: Security-focused code review before every deployment
• Penetration Testing: Annual third-party security audit (planned for Q2 2026)

🤝 Coordinated Vulnerability Disclosure Policy

We genuinely appreciate security researchers who take the time to responsibly disclose vulnerabilities. It makes RepoSweeper safer for everyone. If you've found something — thank you.

How to Report

Email [email protected] with:

• A description of the vulnerability and its potential impact
• Steps to reproduce (the more detail the better)
• Any proof-of-concept code or screenshots if applicable
• Your preferred contact method for follow-up

What Happens Next

1. Acknowledgment: We'll confirm receipt within 24 hours
2. Assessment: We'll evaluate severity and scope within 72 hours
3. Updates: We'll keep you informed every 72 hours until resolved
4. Resolution: We'll notify you when the fix is deployed
5. Credit: With your permission, we'll thank you publicly in our acknowledgments

Bug Bounty

We offer bounties for responsibly disclosed vulnerabilities. Rewards are at our discretion based on severity:

• Critical (RCE, auth bypass, data exposure): $50–$200
• High (privilege escalation, significant data leak): $25–$75
• Medium (XSS, CSRF, limited data exposure): $10–$30
• Low (minor issues, informational): Our sincere thanks + acknowledgment

We're a small bootstrapped product — these amounts reflect that honestly. We'd rather be transparent than promise enterprise-level bounties we can't deliver.

Safe Harbor

If you act in good faith and follow this policy, we will not pursue legal action against you. We consider responsible security research a valuable contribution, not a threat. We ask that you:

• Give us reasonable time to fix the issue before public disclosure (we ask for 30 days)
• Don't access, modify, or delete user data beyond what's necessary to demonstrate the vulnerability
• Don't perform DoS attacks or spam
• Don't social engineer our users or team

Out of Scope

• Vulnerabilities in third-party services we use (report those to the vendor directly)
• Theoretical attacks without working proof-of-concept
• Issues requiring physical access to a device
• Rate limiting / brute force on non-sensitive endpoints

🏆 Security Acknowledgments

We're grateful to the following researchers who have responsibly disclosed vulnerabilities and helped make RepoSweeper more secure:

• 2026: Anonymous researcher — responsible disclosure of a security vulnerability. Thank you for reaching out privately and giving us the chance to fix it before any users were affected.

Want to be on this list? Email [email protected].

🗑️ Data Retention & Deletion

How Long We Keep Your Data

• Account Data: Until you delete your account
• AI Summaries (Cache): 7-30 days, then automatically deleted
• Usage Logs: 90 days for debugging and analytics
• Backup Data: 7 days, then permanently deleted
• Deleted Account Data: 30-day soft delete, then permanently purged

How to Delete Your Data

1. Go to Settings → Account → Delete Account
2. Confirm deletion (this is permanent)
3. Your data is soft-deleted immediately (account inaccessible)
4. After 30 days, all data is permanently purged from our systems
5. Backups are purged within 37 days (7-day backup retention + 30-day grace period)

Need immediate deletion? Email [email protected] and we'll expedite it.

🌍 Compliance & Privacy

GDPR (European Users)

• ✅ Right to access your data (download from Settings)
• ✅ Right to deletion (delete account anytime)
• ✅ Right to data portability (export as JSON)
• ✅ Right to rectification (edit in Settings)
• ✅ Lawful basis: Consent (you sign up) + Contractual necessity (to provide service)

CCPA (California Users)

• ✅ Right to know what data we collect (see above)
• ✅ Right to delete your data
• ✅ Right to opt-out of data sales (we don't sell data, ever)

Privacy Policy

See our full Privacy Policy for complete details on how we collect, use, and protect your information.

🔄 Monitoring & Logging

What We Monitor

• Application uptime and performance (99.9% target)
• Error rates and failed requests
• API usage and rate limit violations
• Database performance and query times
• Authentication failures and suspicious login attempts

What We Log

• API requests (method, endpoint, response code, user ID)
• Authentication events (login, logout, token refresh)
• Errors and exceptions (for debugging)
• Admin actions (database access, configuration changes)

Logs are retained for 90 days, then automatically deleted.

📋 Third-Party Services

Services We Use & Why

Note: We only share the minimum data necessary for each service to function. No third-party service receives your full database or unnecessary personal information.

📞 Contact & Questions

🔮 Future Security Improvements

On Our Roadmap

• Q2 2026: Third-party security audit and penetration testing
• Q3 2026: SOC 2 Type I certification (if we reach 100+ B2B customers)
• Q4 2026: Bug bounty program
• 2027: SOC 2 Type II certification

Security is an ongoing process, not a one-time achievement. We're committed to continuously improving our security practices as we grow.