GitHub access
The GitHub App is configured for Contents: Read, Pull requests: Read and write, Issues: Read and write, and Metadata: Read. Contents are read to assemble review context. Pull-request and issue access lets us publish reviews, maintain the summary, and process @wiseguy commands. Metadata is required by GitHub.
During installation, a separate GitHub OAuth authorization verifies that the signed-in user can access the installation. That user access token is used for the verification request and is not stored.
What we do and do not store
Not persisted: repository source, diffs, webhook request bodies, model prompts containing source, GitHub installation tokens, and raw provider responses. These values must not enter Postgres, application logs, analytics, or error reports.
Persisted: installation and repository identifiers, repository visibility and configuration, pull-request metadata, review status and timing, provider/model names, token and cost counts, finding paths and line numbers, customer-visible review comment text, billing records, webhook delivery identifiers, and source-free audit events.
Review comments can include a small suggested replacement selected for publication. GitHub stores the posted comment, and Wiseguy retains the same customer-visible comment text so the dashboard and audit trail remain accurate.
Retention and deletion
- Finding and customer-visible comment text is hard-deleted after 400 days.
- Uninstalling immediately suspends access. Installation-scoped records are hard-deleted within 30 days.
- A verified manual deletion request is completed within 7 days. Contact [email protected].
- A narrowly scoped, audited legal or incident hold can delay deletion until the hold is released.
Model providers
| Route | Provider | Control |
|---|---|---|
| Bulk | OpenRouter and an explicit operator-configured host allowlist | Requests require data collection denied, zero-data-retention capable routing, and provider fallbacks disabled. |
| Escalation | Anthropic API | Direct commercial API requests. Anthropic documents deletion within 30 days by default unless stricter retention terms apply. |
Operators can stop all model traffic or either provider with deployment kill switches. Provider models and allowlists are launch configuration, not customer data.
Subprocessors
- GitHub — source of repository context and destination for reviews.
- DigitalOcean — App Platform application, worker, and scheduler hosting, plus managed PostgreSQL and Valkey.
- OpenRouter and its configured model hosts — bulk inference.
- Anthropic — escalation inference.
- Stripe — subscription and payment records; Stripe does not receive source code.
- Sentry, when enabled — error reporting after request bodies, source-bearing fields, secrets, and review-engine locals are removed.
Security contact and changes
Report security concerns to [email protected]. We ask for 90 days to investigate and coordinate disclosure. Material edits to this page will update the effective date and be recorded in the repository history.