Security

Effective: May 17, 2026

docs-keeper processes diffs from merged pull requests across hundreds of repositories. We take that responsibility seriously. This page documents the controls we run today and how to report a vulnerability.

How we protect your code

  • No persistence of source. We process the diff and a small surrounding context window. The full repository contents are never written to our database.
  • Short-lived tokens. All GitHub API access uses installation tokens minted on demand via the Octokit App SDK. Tokens expire in one hour and are not stored at rest.
  • Branch isolation. Generated PRs are always opened from a dedicated branch (docskeeper/run-<id>). We never push to your default branch.
  • Validation gate.Every draft passes 7 deterministic rules (no hallucinated identifiers, no frontmatter deletion, no >50% rewrites, 50KB hard cap, markdown structural integrity). Failures are routed to a comment, not a PR.

How we protect your data

  • Encryption. TLS 1.3 in transit, AES-256 at rest (Supabase-managed).
  • Webhook authenticity.Every GitHub event is HMAC-verified against the installation's webhook secret before processing.
  • Tenant isolation. Every database query is scoped to an organisation; we enforce this in code, not just by app convention.
  • Access logs. All admin actions are recorded in an append-only audit log retained for 1 year.

How we protect your account

  • GitHub OAuth.We don't store passwords; sign-in is through GitHub. We honour GitHub's 2FA enforcement.
  • Session hygiene. Sessions are cookie-bound, HttpOnly, and rotate on privilege change.
  • API keys. Scoped per-workspace, displayed once at creation, hashed at rest. Revoke any time from Settings → API keys.

Subprocessors

Our current subprocessors are Supabase (database hosting), OpenRouter/Anthropic (LLM inference; zero-retention headers set), Lemon Squeezy (billing), and Resend (transactional email). We notify customers of material subprocessor changes at least 30 days in advance.

Reporting a vulnerability

We take security reports seriously. Please email [email protected] with:

  • A description of the issue and its impact.
  • Steps to reproduce.
  • Your contact and (optionally) PGP key.

We acknowledge reports within 48 hours and provide a remediation timeline within 7 days. We don't pursue legal action against researchers who follow this disclosure process in good faith.

Compliance roadmap

SOC 2 Type II is on the Team-tier roadmap. DPA available on request for paid customers — email [email protected].