StagingReservation
Security

How we handle your data

StagingReservation is a small, focused tool. The list of things we do — and don't do — with your data is short on purpose. This page is the honest version.

What we see

Through the GitHub App, we receive:

  • Branch and tag names on connected repositories (push, create, and tag webhook events).
  • Deployment status events (state transitions like pending → success).
  • Pull-request metadata only as far as the branch / SHA the slot is tracking.
  • Your GitHub login + profile (only what the OAuth scope grants — name, public email, avatar).

We do not read repository contents, issue bodies, or comments. The GitHub App permission requested is intentionally narrow — see integrations/github.

Where it lives

  • Encryption in transit: HTTPS everywhere via Cloudflare, with HSTS (12-month) + a strict Content-Security- Policy.
  • Encryption at rest: MySQL on disk-encrypted VPS storage.
  • Access: workspace data is scoped at the page and server-module level; cross-workspace queries are gated by the membership check (see src/lib/auth-helpers.ts).
  • Webhook integrity: every GitHub webhook is HMAC-SHA256 verified against the app secret; duplicate deliveries are deduped by X-GitHub-Delivery.
  • Rate limiting: per-IP on the webhook endpoint, per-user on workspace POST routes.

What we don't do

  • Deploy your code. We mirror state from your CI. We never run kubectl, ssh, or call Vercel / workflow_dispatch on your behalf.
  • Sell or share your data. No third-party ad networks, no analytics resale.
  • Persist secrets you give GitHub. The GitHub App authenticates as itself; we never see your CI tokens.

Reporting a vulnerability

Please disclose responsibly. Email [email protected] with "security" in the subject line. We respond within one business day and prioritise fixes that affect confidentiality or integrity of customer data.

We don't run a paid bounty yet. Good-faith reports get a public acknowledgment (with your permission) and our genuine thanks.

Compliance posture

We're an honest beta — we have not pursued a SOC 2 / ISO 27001 / HIPAA / FedRAMP audit. The technical controls listed above are the substrate any of those certifications would be built on, so this isn't a long road if a customer asks. Talk to us early if you need a signed DPA or a security questionnaire response.

See also: Privacy, Terms, Docs.