Trust Center
How CodeRifts handles your data, what permissions it requires, and where it runs. No marketing — just facts.
Data Handling
No spec storage
CodeRifts does not store your API specs. Specs are processed in memory and discarded after analysis.
Only diff results returned
Only diff results (risk scores, detected patterns, changelog) are returned to the caller. Nothing is persisted.
No PR content stored
GitHub PR comments are written by the GitHub App using the GitHub API. No PR content is stored.
GitHub App Permissions
CodeRifts requests the minimum permissions needed to function:
| Permission | Level | Why |
|---|---|---|
| Pull Requests | Read/Write | To read PR diffs and post comments |
| Contents | Read | To read .coderifts.yml config file from the repo |
| Checks | Write | To post check run status (block/pass) |
No access to repo code, issues, secrets, or organization data beyond what is listed above.
Infrastructure
Backend: Railway
EU region if available, otherwise US.
Website: Cloudflare Pages
Static site served from Cloudflare's edge network.
No third-party analytics on API traffic
API requests are not tracked by any external analytics service.
API keys hashed at rest
API keys are stored as SHA-256 hashes. Plaintext keys are never stored.
Compliance
GDPR
No personal data is collected or processed through the API.
SOC 2
In progress.
Security contact
Uptime
Auto-deploy on main branch
Backend hosted on Railway with automatic deployments from the main branch.
No formal SLA yet
Targeting 99.9% uptime.