Privacy Policy

SentinelAI ("we", "us", "our") provides an automated compliance-scanning service that integrates with GitHub to review pull requests for adherence to security and compliance frameworks including SOC 2, HIPAA, GDPR, and the EU AI Act. Our service is offered at sentinel-ai-web-luw6.onrender.com.

We collect the following categories of information:

• GitHub data. When you install the GitHub App we receive your GitHub account login, the list of repositories you grant us access to, pull request metadata (PR number, commit SHA, author), and the diff content of changed files. We do not clone or store full repository contents.
• Account information. When you sign in via WorkOS we receive your name and email address to identify your account and link it to your organization.
• Compliance findings. We store the violations, suggested fixes, and audit ledger entries produced by our scans. This data belongs to your organization and is retained to power your compliance dashboard.
• Usage data. We collect standard server logs including IP addresses, request paths, and timestamps for security and operational monitoring.

We use the information we collect to:

• Perform compliance scans on pull requests and post findings to GitHub.
• Maintain your organization's audit ledger and compliance dashboard.
• Authenticate users and associate them with their organization.
• Monitor service health, investigate security incidents, and improve our product.
• Communicate with you about your account and product updates (with your consent).

We do not sell your data, use it for advertising, or share it with third parties except as described in Section 5.

Compliance findings and audit ledger entries are retained for as long as your organization account is active and for a minimum of three years thereafter to support audit requirements. You may request deletion of your organization's data at any time by contacting us at the address below, subject to legal and regulatory retention obligations.

GitHub pull request diffs processed during a scan are used solely to generate findings and are not stored in their raw form after the scan completes.

We use the following sub-processors to deliver our service:

• Anthropic. Pull request diffs are sent to Anthropic's Claude API for compliance analysis. Anthropic processes this data under their API terms; no training on your data occurs under the default API agreement.
• Supabase. We store organization, repository, scan, and compliance data in a Supabase (PostgreSQL) database hosted on AWS infrastructure.
• Temporal Cloud. We use Temporal Cloud to orchestrate scan workflows. Workflow inputs and results may be stored transiently in Temporal Cloud infrastructure.
• WorkOS. We use WorkOS to handle user authentication and enterprise SSO.
• Render.com. Our application servers are hosted on Render.com infrastructure in the United States.
• GitHub. As a GitHub App, we interact with GitHub's APIs to read pull request data and post review comments.

We apply industry-standard security controls including encryption in transit (TLS), encryption at rest, row-level database access controls, and secret management practices. All API keys and credentials are stored as encrypted secrets and are not hard-coded in source code.

Despite these measures, no system is perfectly secure. We encourage you to use strong authentication and to report any suspected security issues to us promptly.

Depending on your jurisdiction, you may have rights to access, correct, or delete personal data we hold about you. To exercise these rights, please contact us using the details in Section 9. We will respond to verified requests within 30 days.

We may update this Privacy Policy from time to time. When we do, we will update the effective date at the top of this page. Material changes will be communicated to account administrators via email at least 14 days before taking effect.

If you have questions about this Privacy Policy or wish to exercise your data rights, please contact us at privacy@sentinel-ai.dev.