91% of developers use AI tools. Your repo is accumulating technical debt RIGHT NOW.
Security & Compliance
Built for teams that ship to regulated environments. Your code is processed securely, never stored, and never used to train models.
Data Flow Architecture
Code is processed in an isolated, stateless pipeline. Only review metadata is persisted — never your source code.
PR Created
GitHub webhook
Connectory Engine
In-memory processing
Policy Check
Rules & standards
AI Analysis
Isolated, stateless
Review Posted
PR comments
Audit Log
Metadata only
Security Controls
Enterprise-grade controls designed for teams shipping to production in regulated environments.
SOC 2 Type II
Independently audited with continuous monitoring across security, availability, and confidentiality trust service criteria.
AES-256 Encryption at Rest
All persisted data encrypted with AES-256. API keys and tokens stored in isolated, hardware-backed vaults.
TLS 1.3 in Transit
All data transmitted over TLS 1.3 with forward secrecy. No plaintext communication at any layer.
Zero Code Storage
Source code is processed in memory during reviews and discarded immediately. No code is persisted to disk or databases.
No Model Training
Your code is never used to train AI models. Repository learnings are stored as abstract patterns, never raw code.
SSO / SAML / SCIM
Enterprise identity management with SAML 2.0 single sign-on and SCIM provisioning for automated user lifecycle.
RBAC & Least Privilege
Role-based access controls with principle of least privilege. Granular permissions per repository, team, and org.
Self-Hosted Deployment
Run Connectory entirely within your infrastructure. Full data sovereignty — no code ever leaves your network.
Compliance Framework Coverage
Connectory is designed to support your compliance posture across the major frameworks your legal and security teams care about.
SOC 2 Type II
Certified5 / 5 controls coveredSecurity (CC6)
Logical and physical access controls restrict unauthorized access to data and systems.
Availability (A1)
System availability commitments and SLA obligations are met with 99.9% uptime.
Confidentiality (C1)
Confidential information is protected through encryption, access controls, and retention policies.
Processing Integrity (PI1)
System processing is complete, valid, and authorized — reviews are not altered in transit.
Privacy (P1)
Personal information is collected, used, retained, and disclosed in conformity with commitments.
GDPR
Compliant5 / 5 controls coveredData minimization
Only the minimum personal data necessary is collected and processed for each purpose.
Right to erasure
Data subjects can request deletion of their personal data within the timelines mandated by Art. 17.
DPA available
A Data Processing Agreement is available for all enterprise customers who require it.
Breach notification 72h
Connectory commits to notifying affected controllers within 72 hours of discovering a personal data breach.
SCCs for transfers
Standard Contractual Clauses are in place for all international data transfers outside the EEA.
CCPA
In Progress5 / 5 controls coveredRight to know
Consumers can request disclosure of personal information collected, used, or disclosed about them.
Right to delete
Consumer deletion requests are honored within 45 days with verification processes in place.
No sale of PI
Connectory does not sell personal information to third parties under any circumstances.
Opt-out mechanisms
Clear opt-out mechanisms are provided for data collection beyond core service delivery.
Annual review
Privacy practices are reviewed annually to maintain compliance as regulations evolve.
ISO 27001
In Progress5 / 5 controls coveredA.8 Asset management
Information assets are inventoried, classified, and managed throughout their lifecycle.
A.9 Access control
Access to information and systems is restricted based on business and security requirements.
A.10 Cryptography
Cryptographic controls protect data confidentiality, integrity, and authenticity in transit and at rest.
A.12 Operations security
Operational procedures and responsibilities ensure secure information processing facilities.
A.14 System acquisition
Security requirements are integrated into the development lifecycle for all new systems.
NIST 800-53
In Progress5 / 5 controls coveredAC — Access Control
Policy and procedures limit system access to authorized users, processes, and devices.
AU — Audit & Accountability
Audit records are created, reviewed, and protected to support accountability requirements.
SC — System & Comms Protection
Communications are monitored, controlled, and protected at external boundaries and key internal points.
SI — System & Info Integrity
Systems are protected against malicious code, flaws are identified and corrected in a timely manner.
RA — Risk Assessment
Risk assessments are conducted periodically and upon significant changes to the system environment.
Global Infrastructure & Reliability
Connectory runs across three geographically distributed regions with automatic failover and a contractual 99.9% uptime SLA.
Active regions
US-East
Virginia, USA
PrimaryUS-West
Oregon, USA
EU-West
Dublin, Ireland
Redundancy & Recovery
Multi-AZ deployment
Each region spans multiple availability zones for fault isolation.
Automated failover
Health checks trigger automatic traffic rerouting within seconds.
Daily backups
Automated snapshots retained for 30 days with point-in-time restore.
RPO < 1 hour
Recovery Point Objective under 1 hour for all data stores.
Uptime SLA
Contractual uptime guarantee backed by redundant multi-region infrastructure.
99.97%
Avg. uptime (12 mo)
0 P0
Incidents (12 mo)
Incident Response
A structured, time-bound process ensures every security event is handled consistently — from the first alert to the final post-mortem.
Detection
Automated monitoring surfaces anomalous behaviour across infrastructure, application, and security telemetry streams.
Triage
On-call engineers classify incident severity, notify relevant teams, and open a dedicated incident channel.
Containment
Affected systems are isolated to limit blast radius. Evidence is preserved for forensic analysis before remediation begins.
Resolution
Root cause is identified, a targeted fix is developed and tested, then deployed through the standard change management pipeline.
Post-Mortem
A blameless retrospective documents timeline, root cause, and corrective actions. Findings feed back into process improvement.
SLA Commitments
API Security
Every integration surface is hardened with authentication, traffic controls, and cryptographic verification.
Authentication
Industry-standard protocols protecting every API request from the first call.
- OAuth 2.0 authorization framework
- API key rotation with zero downtime
- JWT tokens with short expiry windows
- PKCE flow support for public clients
Rate Limiting
Fair usage enforcement that protects platform stability for all tenants.
- Per-endpoint configurable limits
- Exponential backoff guidance in errors
- Burst allowance for spiky workloads
- 429 responses include Retry-After header
Webhook Security
Every outbound event is signed and verified so your systems only accept authentic payloads.
- HMAC-SHA256 payload signatures
- Timestamp validation prevents replay
- Replay protection with nonce tracking
- IP allowlisting for delivery endpoints
// Verify incoming webhook signature
import { createHmac, timingSafeEqual } from "crypto"
function verifyWebhookSignature(
payload: string,
signature: string,
secret: string,
timestamp: string,
): boolean {
// Reject stale events (>5 min old)
const age = Date.now() / 1000 - parseInt(timestamp, 10)
if (age > 300) return false
const expected = createHmac("sha256", secret)
.update(`${timestamp}.${payload}`)
.digest("hex")
const sigBuffer = Buffer.from(signature.replace("sha256=", ""), "hex")
const expBuffer = Buffer.from(expected, "hex")
return timingSafeEqual(sigBuffer, expBuffer)
}Timing-safe comparison prevents length-based timing attacks. All webhook deliveries include a X-Connectory-Signature and X-Connectory-Timestamp header.
Responsible Disclosure
We welcome security researchers who help make Connectory safer. If you discover a potential vulnerability, please report it privately so we can investigate and remediate before any public disclosure.
Scope
In scope
- Connectory web platform (app.connectory.ai)
- Public REST and GraphQL APIs
- GitHub App and OAuth integration flows
- Authentication and session handling
- Data isolation and access control
Out of scope
- Third-party services (GitHub, Stripe, AWS)
- Social engineering or phishing attacks
- Physical security or hardware
- Denial-of-service (DoS/DDoS) testing
- Vulnerabilities in out-of-date browser versions
Process
Report
Email security@connectory.ai with a clear description, reproduction steps, and any proof-of-concept. PGP encryption available on request.
Acknowledge
We confirm receipt within 24 hours and assign a tracking reference so you always know the status of your report.
Investigate
Our security team triages and validates the finding. We may reach out for clarification and will keep you updated throughout.
Fix & Disclose
Once resolved, we coordinate disclosure timing with you and publish a summary (where appropriate). You are credited by name or alias.
Contact
Send vulnerability reports to security@connectory.ai. We support PGP-encrypted submissions — request our public key in your initial message and we will provide it promptly.
Please include: affected component, reproduction steps, impact assessment, and any supporting screenshots or PoC code.
Recognition
We deeply appreciate the work of security researchers. Reporters of valid, in-scope vulnerabilities are publicly acknowledged in our security advisories — by full name, alias, or anonymously, according to your preference.
While we do not currently operate a paid bug-bounty programme, we recognise every researcher who helps us protect our customers.
Need a security review?
We work with enterprise security teams through procurement. Request our SOC 2 report, penetration test results, or schedule an architecture review.