Security at Grassion

Built for
enterprise trust.

Grassion analyzes engineering workflow metadata. We never read or store your source code.

Our commitment

Grassion never reads your source code. We only read PR metadata visible in GitHub — titles, commit messages, and timestamps. No code is stored. Ever.

Data access

What Grassion reads

✓PR titles and descriptions
✓Commit message text (not diff or code)
✓Merge timestamps and dates
✓Author GitHub usernames (public data)
✓Review counts and approval status
✓PR open / close / merge events

Off limits

What Grassion never touches

✗Your source code or file contents
✗Secrets, API keys, or environment variables
✗Private keys or credentials of any kind
✗Internal Slack or email communications
✗Developer personal data beyond GitHub profile
✗Code diffs or actual implementation details

Permissions

Exact GitHub permissions we request

read:user

Your GitHub username and public profile. Same as any GitHub OAuth app.

repo

Read PR metadata, commit messages, and review outcomes. Cannot write, merge, or modify anything.

read:org

Verify organisation membership. Cannot modify org settings or member permissions.

These are read-only scopes enforced by GitHub, not just our policy. Grassion is technically incapable of modifying your repositories. The same scopes are used by Vercel, Netlify, Linear, and thousands of developer tools.

Infrastructure

Where your data lives

Database

Supabase PostgreSQL

SOC2 Type II certified. Encrypted at rest with AES-256. Mumbai region.

Hosting

Fly.io

SOC2 compliant infrastructure. TLS encryption in transit. Zero-downtime deploys.

Authentication

GitHub OAuth only

No passwords stored anywhere. JWT tokens expire in 7 days. Sessions revocable from Settings.

Payments

Razorpay

PCI DSS compliant. We never see or store card details; payment data goes directly to Razorpay.

Data retention

Your data, your control

Delete all your data at any time from Settings → Danger Zone. We permanently remove all records within 24 hours. No backups retained. You can also uninstall the GitHub App at any time to stop all data collection immediately.

Get in touch

Security questions?

Email us at info@grassion.com
We respond within 24 hours.