Security & access

"You want access to my code?" Fair question. Here's the honest answer.

A tool that watches your engineering operation must be more trustworthy than the risks it watches for. This page explains our access model the way we explain everything: plainly, specifically, and without asking you to take anything on faith you can't verify.

01 Read-only, minimum-scope access

NovaCTO connects through the official OAuth flows of GitHub, GitLab, AWS, and Google Cloud, requesting only read scopes. It cannot write code, merge pull requests, deploy, change infrastructure, or spend a dollar. You can verify the granted scopes yourself, at any time, inside your own GitHub or cloud console — you don't have to trust our word for it.

02 Your code is analyzed, never stored

Source code is processed in ephemeral, isolated environments and discarded after analysis. What we retain is derived metadata — metrics, trends, findings, scores — not your source. Your codebase is your crown-jewel IP; a copy of it sitting in someone else's database is a liability we refuse to hold.

03 Encrypted everywhere, isolated per customer

All data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Every customer's data is logically isolated; there is no shared analysis pool that mingles one company's information with another's. Benchmarks are computed from anonymized, aggregated statistics that cannot be traced back to any company.

04 One click to revoke, 30 days to gone

Disconnecting takes one click and takes effect immediately — our tokens stop working the moment you revoke them. On cancellation, derived analytics are deleted within 30 days. No exit interviews, no retention dark patterns, no "are you sure" gauntlet.

05 Nothing to install, nothing to break

No agents on your servers, no SDK in your app, no CI pipeline changes, no bot accounts commenting on pull requests. NovaCTO observes from outside your workflow, which means it cannot slow your team down, break a build, or introduce a dependency into your product.

06 Compliance, stated honestly

We're an early-stage company and we won't pretend otherwise: our SOC 2 Type II audit is in progress, not framed on the wall yet. What we can show today: our security architecture documentation, our data-processing agreement, and our subprocessor list — available to any customer or prospect on request.

The principle

We built the access model we'd demand as customers.

Every design decision above came from one test: would a paranoid technical founder — the kind of person who reads OAuth scopes for fun — approve this for their own company? If the answer was no, we changed the design, not the pitch.

Questions?

Ask us the hard ones.

Security questionnaires, architecture reviews, DPA requests — send them over. We answer within two business days, in plain English.

✓ Got it. Security documentation on its way.
Or read the FAQ first