Security & Compliance
Ephemeral by design. Encrypted by default. Your data never leaves your control.
Enterprise-Grade Security
Defense in depth across every layer of the stack
Fully Ephemeral Processing
PR and issue content is processed in-memory and never stored at rest. Only generated release notes are persisted—your source data stays yours.
AES-256-GCM Field-Level Encryption
All sensitive credentials (API keys, tokens, webhook secrets) are encrypted with AES-256-GCM before reaching the database. Quarterly automated key rotation with zero-downtime re-encryption.
BYOK — Bring Your Own Keys
Connect your own AWS Bedrock credentials for complete data sovereignty. Your AI inference stays within your AWS account—ReleaseRay never sees the prompts or responses.
Database SSL with Certificate Verification
All database connections enforce SSL with sslmode=verify-full and CA certificate pinning. No plaintext database traffic, ever.
SOC 2 Type II Compliance
Comprehensive security controls across access management, encryption, audit logging, change management, and incident response—aligned with SOC 2 Trust Service Criteria.
Automated Key Rotation
Encryption keys rotate quarterly via automated CI/CD workflows. Previous keys are retained for seamless decryption of existing data during the transition window.
Complete Audit Trail
Every action—draft generation, publishing, credential access, data deletion—is logged with actor, timestamp, IP, and context for full accountability.
Endpoint Security & Penetration Testing
Formal endpoint security policies, scheduled penetration testing, and vulnerability scanning ensure continuous security posture improvement.
Defense-in-Depth API Hardening
NEWServer-side JWT validation on every authenticated endpoint, Zod schema validation on all inputs, CSRF origin verification with strict URL parsing, and SSRF protection on outbound webhooks.
Rate Limiting with Circuit Breaker
NEWMulti-tier rate limiting across webhooks, API, LLM, and billing endpoints. Circuit breaker pattern fails closed on security-critical paths—no silent bypasses when infrastructure is degraded.
Privacy First
Complete control over your data—collect less, protect more, delete on demand
30-Day Data Retention
PR metadata and generated drafts are automatically purged after 30 days. Analytics aggregates are retained for 13 months. You control what stays.
Purge My Data
NEWOrganization admins can trigger immediate data deletion with a 24-hour cooling period. Full GDPR Article 17 compliance—your right to be forgotten, enforced.
Data Transparency API
NEWQuery exactly what data ReleaseRay holds about your organization. Export everything or delete it—complete visibility with no hidden storage.
What We Access vs. What We Store
Accessed Ephemerally
PR bodies, issue descriptions, comments, and commit messages are fetched from GitHub, sent to the LLM, and discarded. Never written to disk or database.
Stored (Encrypted)
Generated release note drafts, PR metadata (title, number, author, labels), and your organization settings. All encrypted at rest with AES-256-GCM.
We never access your source code. ReleaseRay only reads PR/issue metadata and discussion content through the GitHub API, and with BYOK Bedrock, even that data never touches our infrastructure.
Compliance
Built to meet the standards your security team requires
SOC 2 Type II
In ProgressTrust Service Criteria: Security, Availability, Confidentiality
GDPR
CompliantData Processing Agreement available. EU data residency supported.
CCPA
CompliantCalifornia Consumer Privacy Act compliance with data deletion rights.
HIPAA
Architecture ReadyEphemeral processing and BYOK enable HIPAA-eligible deployments.
Questions about security?
Request our security questionnaire, SOC 2 report, or schedule a call with our security team