Security

Your code stays yours

Commitloom reads the diff. It doesn't read your repo. It doesn't store your code. It doesn't train on your output. What you build stays yours.

Security questions? Email us
No repository content stored — diff is read ephemerally
Minimal GitHub App scopes — read-only except PR comments
No AI training on your code or review data
SOC 2 Type II controls designed into architecture from day one
Security pillars

What your security team will ask about

Before approving a tool that reads your code, your security team will want to know: what's stored, what scopes are requested, and whether the AI trains on your data. The answers are below.

No secrets stored

Commitloom never stores API keys, environment variables, secrets, or credentials — even if they appear in the diff. Diffs are processed in memory to generate the review, then discarded. Nothing about your code is written to persistent storage.

Minimal scopes

The GitHub App requests exactly three permissions: pull_requests: read+write (to post comments), contents: read (diff only), and metadata: read. No write access to code or issues.

Ephemeral diff reads

Commitloom fetches the PR diff, processes it in memory, generates the review, and discards the diff. Nothing is written to persistent storage. Your code never lives in our database.

SOC 2 controls in design

Our infrastructure is designed with SOC 2 Type II controls from day one: access logging, least-privilege IAM, encryption at rest and in transit, and quarterly access reviews. We are not yet SOC 2 certified — certification is on our roadmap. If your org requires a signed BAA or SOC 2 report today, contact us to discuss your timeline against ours.

GitHub App permissions

Exactly what we ask for and why

We request the minimum set of permissions needed to do one job: read the diff and post inline comments. We do not request write access to code, issues, or any other resource.

Permission Scope Access level Why we need it
Pull requests pull_requests Read + Write Read the PR diff; write inline review comments and update PR description
Repository contents contents Read only Fetch the raw diff of changed files — no access to repo history or other files
Metadata metadata Read only Required by GitHub for all Apps — repo name, visibility, basic branch info
Issues issues Not requested Commitloom does not read or write to issues
Code contents:write Not requested Commitloom never modifies code
Data flow

What happens to your diff

Diagram showing how Commitloom reads PR diffs ephemerally and discards data after review without storing secrets
Security FAQ

Common security questions

No. We do not use your diffs, your review output, or any data derived from your repositories to train our AI models. Your code is processed for the purpose of generating a review, then discarded.
Commitloom uses a hosted large language model for diff analysis. The provider is under a data processing agreement that prohibits using customer data for model training. We evaluate providers on security posture, not just capability.
Diff content: not retained — processed in memory and discarded. Review comments: retained for 90 days to support re-review and analytics, then purged. Access logs: retained 90 days for security monitoring. Scale plan customers can configure custom data retention windows.
We are not yet SOC 2 certified. Commitloom is designed with applicable state law SOC 2 Type II controls from day one (access logging, least-privilege IAM, encryption in transit and at rest, regular access reviews). We plan to pursue certification as we scale. If your organization requires SOC 2, contact us to discuss your timeline and ours.

Security questionnaire? We'll fill it out.

Email us your security review requirements. We respond to every inquiry personally — no automated responses.

Contact security team Start free