Your code stays yours
Deviera connects to your GitHub and GitLab repositories, Linear and Jira workspaces, and Vercel projects. Here is exactly what we access, how we store it, and how we protect it.
The short version
We never read your source code. OAuth tokens are encrypted at rest. Webhooks are HMAC-verified. API keys are SHA-256 hashed. Every request is scoped to your workspace.
Security practices
Tokens stored encrypted
OAuth tokens for GitHub, GitLab, Linear, Jira, and Vercel are stored encrypted at rest in PostgreSQL. We use environment-level secrets for encryption keys — tokens are never logged or exposed in API responses.
API keys hashed with SHA-256
Personal API keys are shown once at creation. Deviera stores only a SHA-256 hash — we cannot recover a lost key. Revoke and regenerate from your dashboard at any time.
Webhook signature verification
Every inbound GitHub webhook is verified using HMAC-SHA256 against your webhook secret before processing. Billing webhooks are verified using cryptographic signature verification. Unverified requests are rejected with 401.
No source code access
Deviera never reads your source code. GitHub webhooks deliver metadata only — commit SHAs, branch names, workflow run results, PR titles, and issue labels. Your code never leaves GitHub.
Cross-account isolation
Every API route validates that the requesting user belongs to the workspace owning the requested resource. Automation events, signals, and integrations are strictly scoped — one workspace cannot access another's data.
hCaptcha bot protection
Sign-in and password-reset forms are protected by hCaptcha to prevent credential-stuffing and automated abuse. The challenge is required before any authentication attempt is processed.
GitHub App permissions
Deviera uses a GitHub App (not a personal access token) for granular, revokable permissions. The App requests the minimum scopes required to detect friction. You can audit and revoke access at any time from your GitHub App settings.
| Permission | Why we need it |
|---|---|
| metadata: read | Repository name, visibility, branch list |
| checks: read | Read workflow run results for CI intelligence |
| pull_requests: read | PR metadata — title, author, reviewers, labels |
| issues: read/write | Read issue events; write GitHub issues on your behalf (automation action) |
| contents: read | Commit SHAs and messages only — not file contents |
| statuses: read | Deployment status events |
OAuth fallback (for users who haven't installed the GitHub App) uses the same minimal scopes via your GitHub account token.
Data we store
Automation events (signals)
Per plan: 7d (Free) · 30d (Pro) · 90d (Team) · 365d (Enterprise)Trigger type, outcome, severity, issue tracker ID (Linear/Jira/GitLab), repo name, source URL. No code content.
OAuth tokens
Until you disconnect the integrationGitHub, GitLab, Linear, Jira, and Vercel access tokens. Stored encrypted. Used only to make API calls on your behalf.
Webhook payloads
Not persisted — processed in-memory and discardedGitHub, GitLab, and Vercel webhook metadata (branch names, commit SHAs, check run results). Not full payloads — only fields needed for trigger evaluation.
User account data
Until you delete your accountEmail address, display name, hashed password (bcryptjs), NextAuth session.
Billing data
Audit trail retained for 3 yearsSubscription ID, plan status, period end date. No payment card data is stored — all PCI-scoped data is handled by our payment processor.
Infrastructure
Hosting
Vercel (edge + serverless)
Database
PostgreSQL (Supabase)
Queue
Redis via Upstash (TLS)
Responsible disclosure
Found a security vulnerability? Please email security@deviera.io before disclosing publicly. We aim to respond within 48 hours and will credit researchers who report valid issues.