Security & trust at DevSignal

01 / The connection

Narrow scopes into the tools your team already runs.

DevSignal authorizes through each provider's official install or OAuth flow. We read the activity stream, and write back only the actions you explicitly opt into — posting your own digest to Slack, requesting a review on a PR, or commenting on a PR you generated a brief for. Every scope we hold is listed below.

GitHub. Installed as a GitHub App with read access to repo metadata, pull requests, issues, and members. We request pull_requests: write so opt-in features can post a comment or request a reviewer on a PR. We do not request repo:write, workflow, or admin scopes.
Linear. Connected via a personal API key you generate and paste into DevSignal Settings — not OAuth. The key inherits your Linear permissions; revoke it in Linear at any time and the connection drops. We use it to read issues, comments, cycles, and projects.
Slack. Bot token requesting chat:write (post digests to a channel you pick), channels:read and groups:read (list channels you can choose between), commands (the /devsignal slash command), and users:read + users:read.email (match Slack members to GitHub authors so DMs reach the right person). We do not request files:read or any history scope.
Revocable any time. Disconnect from your DevSignal Settings or revoke the grant directly in GitHub / Linear / Slack — either action takes effect immediately.

02 / Where the data lives

One region, one database, encrypted everywhere.

DevSignal runs on Vercel with a Supabase Postgres backend. Customer data lives in a single US-region project — no replication to other regions, no shadow copies in third-party tools.

Application hosting

Vercel. Edge network for static assets; serverless functions for API routes. US region.

Database

Supabase Postgres. Encrypted at rest with AES-256 by the provider's managed disk encryption. Daily managed backups.

Encryption in transit

TLS 1.3. Enforced on every public endpoint — API, web, webhooks. HSTS preload submitted.

Authentication

Supabase Auth + GitHub OAuth. Passwords are never stored on DevSignal infrastructure; any MFA set at the OAuth provider is honored.

Tenancy

Row Level Security. Every customer row is scoped by workspace_id at the Postgres level — no cross-tenant query is possible from the app's anon key.

03 / AI processing

Your data isn't training data.

DevSignal sends the smallest sample of your activity needed to produce a signal to Anthropic's Claude API at inference time only. By Anthropic's API terms, prompts and completions submitted via the API are not used to train their models.

Inference-only. No fine-tuning of any model on customer data. No DevSignal model exists that has been trained on your activity.
Per-team scoring stays in our database. The feedback loop ("this signal was expected", "suppress this pattern") is stored in Postgres scoped to your workspace — not in any model weights.
Minimum context. We send only the events relevant to a candidate signal, not your entire history, and never raw OAuth tokens.
Prompt-injection conscious. Inputs from your tools are isolated from the system prompt; DevSignal cannot be coerced via a PR comment or Slack message into ignoring its instructions.

04 / Authentication & access

Least privilege, everywhere.

For users

Sign in with GitHub OAuth. We never see your password — if you have MFA enabled on your GitHub account, that protection extends to DevSignal automatically. Sessions are managed by Supabase Auth with rotating refresh tokens.

For our team

Production access is gated through SSO with hardware-key MFA. The application's service-role key is held only by deploy-time infrastructure. Engineers query production via read-replica with auditable per-query logging.

05 / Data lifecycle

What we store, what we don't, and how to delete it.

What we store. Workspace identity, user profile (GitHub username + email), connection metadata, generated signals, brief outputs, your context paragraphs, and feedback (suppress / expected) signals.
What we don't store. Raw PR diffs, full Slack thread bodies after a signal completes, OAuth refresh tokens in plaintext (encrypted at rest), or any content from tools you haven't connected.
Activity retention. Recent activity is kept hot for signal generation; older events age out over time. We do not maintain a cold-storage archive of your raw event stream.
Account deletion. Triggered from your account settings; runs the delete_user_only Postgres RPC which removes user-scoped rows in a single transaction. If you're the last user in a workspace, the workspace is deleted with you.
Subject access. Email security@devsignal.app for an export of everything tied to your account — we'll respond within five business days.

06 / Subprocessors

Everyone we share data with, by name.

We will email a notice to all account owners 30 days before any change to this list.

Provider	Purpose	Data shared	Region
Vercel	Application hosting + edge network	HTTP request metadata; no application data persists on Vercel infrastructure	US
Supabase	Postgres database + authentication	All customer-facing application data — encrypted at rest	US
Anthropic	Claude API for signal reasoning, Smart Search, and Report generation	Per-request prompts containing the minimum events to score; not used for training per Anthropic API terms	US
GitHub	Source: PR + issue + repo activity; write access used for opt-in PR comments and review requests	GitHub App installation	US (GitHub.com)
Linear	Source: issue + cycle + project activity	Personal API key (read scope as granted by the key holder)	US (Linear default)
Slack	Source: channel and member metadata for connected workspaces; write access used to post digests and DMs you configure	Slack bot token	Customer-controlled (Slack workspace region)

07 / Compliance posture

What we have today, and what's on the way.

Today

GDPR-aligned data subject rights (access, deletion, export). DPA available on request for customers in the EU/EEA. All customer data encrypted in transit (TLS 1.3) and at rest (AES-256 via Supabase managed disks).

On the roadmap

SOC 2 Type II is on the post-GA roadmap. We don't claim it today — the controls list is being built out as the product moves out of beta. We'll publish the report as soon as it lands.

About beta status

DevSignal is in beta. We treat your data with production-grade controls (encryption, RLS, OAuth scopes), but we are not yet certified against external audit frameworks. If you have specific compliance requirements before connecting a tool, please reach out before signup — we'd rather have the conversation up front than have you discover a gap later.

08 / Reporting a vulnerability

Found something? Tell us.

We don't run a paid bug bounty yet, but we take vulnerability reports seriously. Email a clear repro, the affected URL, and any payload to security@devsignal.app. You'll get a human acknowledgement within 24 hours and a triage update within five business days. We do not pursue legal action against good-faith researchers operating within standard responsible-disclosure norms.

Security contact

For vulnerability reports, DPA requests, or anything related to your data.

Email security@devsignal.app

Built for engineering teams that take their data seriously.