Security at DevSignal
We treat security as a feature, not an afterthought. DevSignal is early-stage, so this page describes exactly what we do today — not aspirations. If you have a question it doesn't answer, email security@devsignal.app.
Access & permissions
This is the part that matters most for a tool that connects to your code and your conversations:
- Read-only for your code and tickets. We request the narrowest scopes the feature set allows. We never write to GitHub or Linear.
- The one write we make is to Slack, and it's opt-in. The only action we ever take on your behalf is posting a digest to a Slack channel you choose — something you turn on, never silent.
- GitHub — installed as a GitHub App with read-only access to PRs, reviews, issues, and repo metadata. We don't request write access to your repositories, pull requests, code, workflows, or admin.
- Linear — connected with an API key you paste. The key carries your account's permissions, but DevSignal only reads — issues, comments, and cycles. We don't change issue status, assignees, sprints, or post comments.
- Slack — a bot token scoped to post messages and read channel and member metadata in the channels you authorize. We don't read your DMs or message history beyond what a feature needs.
- Revoke any time — from GitHub, Linear, or Slack directly, or by disconnecting inside DevSignal.
Data protection
- In transit: TLS 1.3 on every endpoint.
- At rest: AES-256. Connection tokens and API keys are encrypted with a separate key.
- Isolation: multi-tenant data is separated at the database layer with Postgres Row-Level Security, scoped per workspace — one customer's data is never reachable by another.
Where your data lives
- Supabase — database and authentication (US).
- Vercel — application hosting (US).
- Anthropic — Claude API for generating reports, digests, and answers (US). Data sent for AI features is used for inference only and is not used to train models.
Data residency is US. We give account owners notice before we change this list.
Your data & your controls
- Delete everything from your account settings — it removes your data in a single operation.
- Export the reports you've generated at any time.
- We store only what's needed to generate your reports — connection metadata, generated summaries, and the context you add. We don't keep your source code or full message bodies after a summary is produced.
Compliance & current posture
We'll be straight with you: we don't have SOC 2 yet. We're in beta, and we'll pursue formal audits as we mature. What's already in place today: least-privilege scopes, read-only-by-default access, per-workspace isolation, encryption in transit and at rest, and US-only subprocessors. If you have specific compliance requirements, reach out before you sign up.
Reporting a vulnerability
Found something? Email security@devsignal.app with steps to reproduce. We acknowledge reports quickly and won't pursue good-faith researchers acting within responsible-disclosure norms.
Quick answers
No. Activity sent to the Claude API is used for inference only and is not used to train any model, ours or Anthropic's.
For GitHub and Linear, yes — read-only. The only write DevSignal makes is posting a digest to a Slack channel you choose, which is an opt-in action you turn on.
In Supabase (Postgres) in the US, encrypted at rest, isolated per workspace with Row-Level Security.
Yes. Deleting your account removes your data in a single operation. You can also export your reports first.
Not yet — we're in beta and will pursue formal audits as we grow. Encryption, isolation, and least-privilege access are already in place today.