Log In Sign Up
Security model

The promise we make

We never write to your repositories. We never modify your code, your branches, or your permissions.

Read-only is enforced at the GitHub App permission level. There is no scope, anywhere in the installation, that grants Releap write access to a repository — and there never will be.

How that promise is enforced

Six controls, each independent of the others.

Read-only GitHub App

The Releap GitHub App requests contents: read, metadata: read, pull_requests: read, and nothing else. Installation tokens are short-lived (1 hour) and cannot create commits, branches, comments, status checks, or issues.

Default-deny on repos

A repo is invisible to Lens until a workspace admin explicitly grants visibility. The same default-deny applies to Confluence spaces, Jira projects, and Aha! products. Every retrieval query joins through the visibility table — turning a repo off makes it structurally invisible to retrieval.

Per-tenant isolation

Every chunk, query, ticket, and audit row is scoped by workspace_id. The pgvector index applies the same filter — queries cannot retrieve across tenants even if the application layer is bypassed.

Bring your own LLM

On Business and above, route prompts and embeddings through your own OpenAI-compatible endpoint. Customer data stays inside customer infrastructure under a customer-owned DPA. Provider routing decisions are recorded in the audit log.

Encrypted credentials at rest

GitHub installation tokens, BYO LLM API keys, BYO embedder API keys, Atlassian OAuth tokens, and all integration credentials are AES-256-GCM encrypted at rest with keys sourced from a managed secret store. Credentials are never logged, never echoed in error messages, never returned to the browser.

Audit log

Every privileged action — repo visibility change, BYO config change, MFA reset, API-key creation, integration connect — writes a structured audit row. Lens query and ticket events log structural metadata only; never plaintext content.

Authentication and access

Identity surface available out of the box.

  • Magic link — passwordless email sign-in for all plans.
  • Google OAuth 2.0 — enforces 2FA on the Google account itself.
  • TOTP (2FA) — self-service enrollment, single-use recovery codes hashed at rest, admin-reset for locked-out users.
  • SAML / OIDC SSO — Business and Enterprise.
  • API keys — workspace-scoped, SHA-256-hashed, with audit-logged creation and revocation. Used for MCP server access and programmatic clients.
  • OAuth 2.1 + PKCE — for MCP clients (Claude Code, Cursor, custom agents) so users can grant tokens without pasting long-lived secrets.

Have a security review to run?

We will hand over the GitHub App permissions list, the encryption model, and the audit-log surface in advance of any procurement conversation.

Talk to us