Security

CompassCode is in early development. We take security seriously, and we're transparent about what the product does today versus what's on the roadmap. This page describes our current practices — we'll update it as the product matures.

When you connect GitHub, we use a GitHub App installation — not personal access tokens or user OAuth. Today we store repository metadata (name, default branch, provider, organization linkage) and GitHub installation metadata (installation ID, account login). We also store your organization settings and basic account information (email via Supabase Auth).

We do not ingest or store your source code today. There is no indexing pipeline, no embeddings store, and no file content persisted in our systems.

We do not use your data to train AI models. Today, chat in the product returns mock responses — there is no live LLM integration and no customer data is sent to third-party AI providers. When we add real AI features, we will document what data is sent, which providers we use, and our data-retention commitments on this page before they ship.

CompassCode connects via a GitHub App installed on your account or organization. The app is configured with read-only permissions for repository metadata, and read-only permissions for contents, pull requests, and actions — intended for upcoming indexing features.

Today, our API only uses installation metadata and repository listing. We do not call the Contents, Pull Request, or Actions APIs yet. Webhooks are inactive. User-level OAuth during install is disabled.

Customer data is isolated logically by organization in a shared Supabase Postgres database. Row Level Security (RLS) enforces org-scoped access. We do not operate separate databases or vector stores per customer today.

Our web app and API are hosted on Fly.io in Stockholm (arn), with HTTPS enforced on all production traffic. Database and authentication are provided by Supabase (managed Postgres). Traffic between your browser, our API, Supabase, and GitHub uses HTTPS.

Data in transit is protected by HTTPS across browser, API, database, and GitHub connections. Database encryption at rest is provided by Supabase as part of their managed infrastructure. We do not add separate application-level encryption for repository metadata today.

Chat messages are not stored on our servers. They exist only in your browser session and are cleared on refresh. We do not offer generated documentation yet. We do not maintain a dedicated query or audit log product feature; standard server logs may include request metadata as part of normal operations.

Removing a repository from CompassCode deletes its metadata from our database immediately. Because we do not store source code, there is no code corpus to purge.

Disconnecting GitHub, deleting your account, and deleting your organization are not fully implemented yet. Uninstalling the GitHub App on GitHub's side does not automatically remove installation records from CompassCode today. We are building complete lifecycle controls as the product matures.

CompassCode is a pre-seed product in active development. We have not completed SOC 2 certification or a formal GDPR compliance program. We are not a HIPAA-covered product. As we grow, we plan to invest in security and compliance programs appropriate for enterprise customers.

We use the following subprocessors to operate the product today:

• Supabase — database and authentication
• Fly.io — application hosting
• GitHub — GitHub App API for installation and repository metadata

There is no product feature for CompassCode staff to browse customer repositories or conversations. Because we do not store source code today, there is effectively no customer code in our systems to access. Operational access to infrastructure (e.g. Supabase, Fly.io) is limited to the founding team and is not governed by a formal break-glass policy yet — we will document this as we scale.