Security

DraftView handles source code and documentation from your repositories. We take that responsibility seriously. Here is how we protect your data.

Infrastructure

Data Handling

• Repository content is ephemeral. We fetch file content from GitHub on demand to render diffs. Content is processed in memory and not persisted to disk or database.
• No code storage. We do not clone repositories or store source files. Only metadata (PR numbers, file paths, review comments) is retained.
• Encryption at rest. All data in our Neon database is encrypted at rest using AES-256.
• Encryption in transit. All connections use TLS 1.2+. Database connections require SSL.

Authentication

• GitHub OAuth. We authenticate via GitHub and request repository access to read PR content and submit reviews on your behalf.
• Magic links. Reviewers access DraftView via time-limited, cryptographically signed magic links. No passwords are stored.
• Token rotation. GitHub access tokens are refreshed automatically and never exposed to the client.

GitHub App Permissions

The DraftView GitHub App requests the minimum permissions required:

• Pull requests: Read & Write (to fetch PR metadata and submit reviews)
• Contents: Read (to render documentation files)
• Metadata: Read (repository name, default branch)

Reviews and suggestions submitted in DraftView are posted via the GitHub API on your behalf, using your authenticated session.

Vulnerability Reporting

Found a security issue? Please report it responsibly to help@draftview.app. We aim to acknowledge reports within 48 hours and resolve critical issues within 7 days.