Security & Trust

RepoWarden is built and operated by Turbo Technologies Ltd (company no. 13124266), a UK-registered company. This page summarises the technical and organisational measures we use to protect customer data. Every claim below maps to something an enterprise security team can verify or audit.

1. Architecture overview

• Frontend: static single-page app delivered from a global edge CDN.
• Backend: serverless edge compute on a SOC 2-attested provider.
• Database: managed SQL database with point-in-time backups; cron-driven scan workflows.
• Authentication: GitHub OAuth; no passwords stored.
• LLM: Anthropic Claude — zero-retention API.
• Billing: Stripe Checkout — card data never touches our systems.

RepoWarden does not operate its own servers, data centres, or office network. All production workloads run on infrastructure provided by the subprocessors listed at /subprocessors.

2. Data handling

What we store:

• Account: GitHub username, user ID, email, avatar.
• Authentication: GitHub OAuth access token (encrypted at rest).
• Repo metadata and scan history.
• Billing: Stripe customer ID, plan, subscription status. No card data.
• Sessions: opaque session tokens, IP, user agent, expiry.

What we do not store:

• Card details, CVV, or bank account numbers.
• Full file trees or git history beyond the manifest/lock files and diffs needed for a PR.
• Special-category personal data.
• LLM prompts and completions beyond the ephemeral request cycle (Anthropic zero-retention API).

Primary processing is on Cloudflare's global edge. UK and EU edge PoPs are used where Cloudflare routing permits. Some subprocessor flows occur in the United States under UK IDTA / EU SCCs.

3. Encryption

• In transit: TLS 1.2+ (TLS 1.3 preferred) on all customer-facing and server-to-server traffic. HTTPS only, HSTS enforced.
• At rest: GitHub OAuth tokens encrypted with AES-256-GCM using a Cloudflare Worker secret held separately from the database. D1 additionally encrypted at rest by Cloudflare.
• Backups inherit the same at-rest encryption.

4. Access control

• End-user authentication is GitHub OAuth only — no passwords.
• Minimum OAuth scopes requested (repo, read:user, user:email).
• Production admin access is restricted to a named, audit-logged list of authorised personnel under documented least-privilege controls, protected by hardware-backed MFA.
• Privileged actions are logged via each provider's audit log.
• Session tokens expire on idle and invalidate on logout.

5. Secure development

• Source on GitHub with branch protection on main.
• Pull-request review and CI (typecheck + tests) before deploy.
• Secrets stored only as Cloudflare Worker secrets or encrypted GitHub Actions secrets.
• Separate staging and production environments.
• We use our own product to keep RepoWarden's dependencies patched.

6. Vulnerability management

• Automated dependency scanning on every commit.
• External penetration testing and security review at least annually, or on material architectural change.
• Responsible disclosure: security@repowarden.dev.

7. Monitoring and logging

• Error monitoring via Sentry with PII scrubbing.
• Product analytics via PostHog, gated by cookie consent.
• Infrastructure logs via Cloudflare.
• Alerts on auth failures, API volume anomalies, webhook failures, and error-rate spikes.

8. Incident response

1. Detect — an alert, user report, or subprocessor advisory triggers the process.
2. Triage — within 4 hours of detection in business hours, we classify severity and scope.
3. Contain — rotate credentials, disable affected endpoints, snapshot evidence.
4. Notify — affected customers within 72 hours of a confirmed Personal Data Breach (UK GDPR Art. 33); regulators as required by law.
5. Remediate and review — post-incident review captures root cause and preventative actions.

9. Business continuity & disaster recovery

• Workloads run on Cloudflare's distributed edge — single-region failure does not interrupt service.
• D1 database is backed up by the provider with point-in-time restore.
• Worker source and schema migrations are version-controlled and redeployable from a known-good commit in minutes.
• RTO 24 hours, RPO 24 hours.
• DR runbook maintained and reviewed at least annually.

10. Data retention and deletion

• Live data retained for the term of the Agreement + up to 30 days after termination.
• Purged from routine backups within a further 90 days.
• OAuth tokens revoked at the provider on account closure.
• Statutory retention (e.g. UK tax: 6 years) maintained where required.

11. Employees and confidentiality

All personnel operate under written confidentiality obligations. Security-awareness briefings on appointment and refreshed annually. Background checks proportionate to role and jurisdiction. Production access is granted on a documented least-privilege basis and reviewed at least annually.

12. Devices

Work is performed on corporate-provisioned devices with full-disk encryption, automatic security updates, and password-managed login with MFA on all admin accounts. No BYOD access to production systems. Removable media is not used for production data.

13. Subprocessors and international transfers

We list every third-party processor on our Subprocessors page. Where data leaves the UK or EEA, we rely on the UK International Data Transfer Addendum and/or EU Standard Contractual Clauses as set out in our DPA.

14. Certifications and attestations

We are happy to complete vendor security questionnaires and share further evidence under NDA.

15. Responsible disclosure

If you believe you have found a security issue in RepoWarden, please email security@repowarden.dev. We commit to acknowledging your report within 2 business days, keeping you informed of our progress, and not pursuing legal action against researchers who act in good faith.

16. Contact

• Privacy / DPA: privacy@repowarden.dev
• Security: security@repowarden.dev
• General: hello@repowarden.dev