Built to SOC 2 Type II standards. Your code stays yours.
Deviera is built to enterprise security standards — MFA, encrypted token storage, audit logging, and automated incident detection. We connect to your GitHub and GitLab repositories, Linear and Jira workspaces, and Vercel projects. Here is exactly what we access, how we store it, and how we protect it.
The short version
We never read your source code. OAuth tokens and webhook secrets are encrypted with AES-256-GCM before database storage. Webhooks are HMAC-verified. API keys are SHA-256 hashed. Every request is scoped to your workspace.
SOC 2 Type II hardened
CC6.x / CC7.x controlsDeviera implements the access, encryption, monitoring, and incident-response controls a SOC 2 Type II examination looks for. Formal third-party certification is in progress — enterprise customers can request a security review and a data processing agreement (DPA) today.
Multi-factor authentication
TOTP-based MFA with backup codes, enforceable at sign-in. (SOC 2 CC6.1)
Encryption with key rotation
AES-256-GCM token encryption with a versioned key scheme that supports zero-downtime rotation. (SOC 2 CC6.7)
Audit logging
Key user mutations are written to a tamper-evident audit trail for accountability and review. (SOC 2 CC7.1)
Automated incident detection
Brute-force and rate-limit-storm patterns automatically raise security incidents for investigation. (SOC 2 CC7.1)
Granular admin roles
Least-privilege admin access with distinct superadmin and read-only auditor roles. (SOC 2 CC6.1)
Resilient job processing
Failed background jobs are persisted to a dead-letter queue with full audit trail and admin replay. (SOC 2 CC7.1)
Security practices
Tokens stored encrypted
OAuth tokens and webhook secrets for all integrations (GitHub, Linear, Jira, GitLab, ClickUp, Vercel) are encrypted with AES-256-GCM before being stored in PostgreSQL. Encryption keys are environment-level secrets — tokens are never logged or exposed in API responses.
API keys hashed with SHA-256
Personal API keys are shown once at creation. Deviera stores only a SHA-256 hash — we cannot recover a lost key. Revoke and regenerate from your dashboard at any time.
Webhook signature verification
Every inbound GitHub webhook is verified using HMAC-SHA256 against your webhook secret before processing. Billing webhooks are verified using cryptographic signature verification. Unverified requests are rejected with 401.
No source code access
Deviera never reads your source code. GitHub webhooks deliver metadata only — commit SHAs, branch names, workflow run results, PR titles, and issue labels. Your code never leaves GitHub.
Cross-account isolation
Every API route validates that the requesting user belongs to the workspace owning the requested resource. Automation events, signals, and integrations are strictly scoped — one workspace cannot access another's data.
hCaptcha bot protection
Sign-in and password-reset forms are protected by hCaptcha to prevent credential-stuffing and automated abuse. The challenge is required before any authentication attempt is processed.
GitHub App permissions
Deviera uses a GitHub App (not a personal access token) for granular, revokable permissions. The App requests the minimum scopes required to detect friction. You can audit and revoke access at any time from your GitHub App settings.
| Permission | Why we need it |
|---|---|
| metadata: read | Repository name, visibility, branch list |
| checks: read | Read workflow run results for CI intelligence |
| pull_requests: read | PR metadata — title, author, reviewers, labels |
| issues: read/write | Read issue events; write GitHub issues on your behalf (automation action) |
| contents: read | Commit SHAs and messages only — not file contents |
| statuses: read | Deployment status events |
OAuth fallback (for users who haven't installed the GitHub App) uses the same minimal scopes via your GitHub account token.
Data we store
Automation events (signals)
Per plan: 7d (Free) · 30d (Pro) · 90d (Team) · 365d (Enterprise)Trigger type, outcome, severity, issue tracker ID (Linear/Jira/GitLab), repo name, source URL. No code content.
OAuth tokens
Until you disconnect the integrationGitHub, Linear, Jira, GitLab, ClickUp, and Vercel access tokens, plus per-integration webhook secrets. Encrypted with AES-256-GCM before storage. Used only to make API calls on your behalf.
Webhook payloads
Not persisted — processed in-memory and discardedGitHub, GitLab, and Vercel webhook metadata (branch names, commit SHAs, check run results). Not full payloads — only fields needed for trigger evaluation.
User account data
Until you delete your accountEmail address, display name, hashed password (bcryptjs), NextAuth session.
Billing data
Audit trail retained for 3 yearsSubscription ID, plan status, period end date. No payment card data is stored — all PCI-scoped data is handled by our payment processor.
Infrastructure
Hosting
Vercel (edge + serverless)
Database
PostgreSQL (Supabase)
Queue
Redis via Upstash (TLS)
Responsible disclosure
Found a security vulnerability? Please email security@deviera.dev before disclosing publicly. We aim to respond within 48 hours and will credit researchers who report valid issues.
Security FAQ
Is Deviera SOC 2 compliant?
Deviera is SOC 2 Type II hardened — MFA/TOTP, AES-256-GCM token encryption with key rotation, per-installation webhook verification, brute-force and rate-limit incident detection, idle auto-logout, granular admin roles, and audit logs are all implemented. Formal third-party certification is in progress. Enterprise customers can request a security review and data processing agreement (DPA).
Where is my data hosted?
Deviera's application runs on Vercel's global edge network. Data (database and file storage) is hosted on Supabase (PostgreSQL on AWS). Both Vercel and Supabase are SOC 2 certified providers. Enterprise customers can request data residency details as part of a DPA.
Can Deviera read my source code?
No. Deviera never reads your source code. GitHub webhooks deliver metadata only — commit SHAs, branch names, workflow run results, PR titles, and issue labels. Your code never leaves GitHub.
How are my integration tokens protected?
OAuth tokens and webhook secrets for every integration are encrypted with AES-256-GCM before being stored in PostgreSQL. Encryption keys are environment-level secrets, support rotation, and tokens are never logged or returned in API responses.
Satisfied with our security posture?
Start your free trial — no credit card required.
Start free trial