Security & Privacy

Your code is your most sensitive asset. BeforeMerge is designed so that source code is never stored permanently, scans run in full isolation, and access is scoped to the minimum required at every layer.

How we protect your code

Security is built into every layer of the scanning pipeline, from repository access to result storage.

No permanent code storage

Repositories are cloned to ephemeral temp storage for the duration of a scan. Once the scan completes, all source code is deleted. Nothing is persisted to disk or object storage.

Isolated scan containers

Every scan runs inside its own isolated container on Fly.io. Containers are destroyed after each scan, ensuring complete process and filesystem isolation between jobs.

Minimum required permissions

The BeforeMerge GitHub App requests only read-only code access. No write permissions to your repository, branches, or settings are ever requested.

Short-lived, scoped tokens

GitHub installation tokens are short-lived and scoped to the specific repository being scanned. Tokens are never stored and expire automatically after use.

Secret detection with redaction

If the scanner detects secrets or credentials in your code, findings are automatically redacted in scan results. Sensitive values are never exposed in the dashboard.

No third-party code access

All scanning tools run locally inside the scanner container. No source code is transmitted to external services, APIs, or third-party analysis platforms.

Your data, your control

We collect only what is necessary to run scans and display results. Nothing more.

What we collect

  • GitHub repository metadata (name, owner, language, default branch)
  • Scan results including findings, rule matches, and severity levels
  • Account information (GitHub username, email, organization membership)
  • Usage analytics (scan counts, feature usage) to improve the product

What we do not collect

  • Source code — cloned temporarily for scanning, then deleted
  • Credentials or secrets — redacted automatically if detected
  • Personal browsing data or activity outside of BeforeMerge
  • Code from repositories you have not explicitly connected

Data protection

Multiple layers of access control ensure your data stays within your organization.

Row-level security

All data is stored in Supabase (Postgres) with row-level security policies. Database queries are automatically scoped so users can only access rows belonging to their organization.

Organization-scoped access

Every resource in BeforeMerge is scoped to an organization. Users only see their own org's repositories, scan results, and configurations. There is no cross-org data leakage.

Encryption in transit

All connections between your browser, our API, the database, and the scanner use TLS encryption. No data is ever transmitted in plaintext.

Infrastructure

Built on trusted, modern infrastructure with security defaults at every layer.

ScannerFly.io

Isolated VMs with per-scan containers. Code is cloned, scanned, and deleted within the VM lifecycle.

Web ApplicationVercel

Next.js application deployed on Vercel with edge network, automatic HTTPS, and DDoS protection.

DatabaseSupabase

Managed Postgres with row-level security, encrypted at rest, automatic backups, and connection pooling.

AuthenticationSupabase Auth

OAuth via GitHub with secure session management. No passwords stored by BeforeMerge.

WebhooksGitHub

All incoming GitHub webhooks are verified using HMAC-SHA256 signature validation before processing.

Compliance & commitments

We take security seriously and are working toward industry-standard certifications.

SOC 2 Type II

We are building toward SOC 2 compliance, implementing controls for security, availability, and confidentiality from day one.

Responsible disclosure

If you discover a security vulnerability, please report it to security@beforemerge.com. We respond within 48 hours.

Data deletion

You can request full deletion of your account and all associated data at any time. We process deletion requests within 30 days.

Minimal data retention

Scan results are retained only while your account is active. Source code is never retained beyond the duration of a single scan.

Questions about security?

We are happy to answer any questions about how we handle your code and data. Reach out anytime.

Contact Security TeamView on GitHub