Security

Security & trust

DevSignal reads what your team already produces — through each tool's official API, with the narrowest access needed and nothing more. Here's exactly how.

Security at DevSignal

We treat security as a feature, not an afterthought. DevSignal is early-stage, so this page describes exactly what we do today — not aspirations. If you have a question it doesn't answer, email security@devsignal.app.

Access & permissions

This is the part that matters most for a tool that connects to your code and your conversations:

Data protection

Where your data lives

Data residency is US. We give account owners notice before we change this list.

Your data & your controls

Compliance & current posture

We'll be straight with you: we don't have SOC 2 yet. We're in beta, and we'll pursue formal audits as we mature. What's already in place today: least-privilege scopes, read-only-by-default access, per-workspace isolation, encryption in transit and at rest, and US-only subprocessors. If you have specific compliance requirements, reach out before you sign up.

Reporting a vulnerability

Found something? Email security@devsignal.app with steps to reproduce. We acknowledge reports quickly and won't pursue good-faith researchers acting within responsible-disclosure norms.

Quick answers

No. Activity sent to the Claude API is used for inference only and is not used to train any model, ours or Anthropic's.

For GitHub and Linear, yes — read-only. The only write DevSignal makes is posting a digest to a Slack channel you choose, which is an opt-in action you turn on.

In Supabase (Postgres) in the US, encrypted at rest, isolated per workspace with Row-Level Security.

Yes. Deleting your account removes your data in a single operation. You can also export your reports first.

Not yet — we're in beta and will pursue formal audits as we grow. Encryption, isolation, and least-privilege access are already in place today.