technical accounting logo
AboutResourcesSign up for beta

Security & GitHub App FAQ

How Technical Accounting connects to your code, what we collect, and how we keep it safe.

Sign up for beta

This page summarizes how Technical Accounting connects to your code and how we protect your data. It describes our technical security posture; if you need a formal compliance package (SOC 2, DPA, subprocessor list, data-retention policy), please reach out — those are handled separately.

Installing the GitHub App

Standard install flow. You install our GitHub App on your organization and select the specific repositories it can access. No personal access tokens, no password sharing.

Read-only, narrow scope. The App requests read-only access to repository contents and commit history, plus installation metadata. We ingest commit metadata — authors, file paths, and change statistics — to power the product. We never push to, modify, or write to your repositories.

No stored GitHub credentials. We do not store GitHub tokens. Access uses short-lived installation tokens (1-hour expiry) minted on demand from the App's private key and held only in memory. There is no long-lived credential in our database to leak.

Revoke anytime. Removing the App — or an individual repository — from your GitHub organization immediately revokes our access. We process GitHub's uninstall and suspend events automatically.

How we protect your data

Encryption at rest. Repository data is stored in an encrypted database. For non-GitHub sources that require a stored token (e.g. GitLab, Azure Repos), tokens are encrypted with AES-256-GCM envelope encryption; plaintext is never persisted.

Encryption in transit. All connections use TLS.

Authentication & sessions. User sign-in is via WorkOS, with support for SSO. Sessions are protected with sealed, encrypted cookies. GitHub API calls are signed with short-lived RS256 JWTs.

Install-flow integrity. The GitHub App installation round-trip is protected with HMAC-signed, time-limited state to prevent tampering and replay.

Secrets management. All secrets are stored in a dedicated secret store — never in source code or configuration files.

Isolated infrastructure. The service runs on Cloudflare's serverless platform. Repository cloning happens in isolated, ephemeral sandboxed containers that are torn down after use.

What we collect

We collect commit metadata and repository structure — commit authors, timestamps, file paths, and change statistics derived from your git history. We do not retain full source code beyond the transient clone needed to walk repository history.

Questions?

For security questionnaires, compliance documentation, or specific data-handling questions, contact us at [email protected].