Security Policy

Stage Inc. ("Stage", "we", "us") is an AI-powered code review platform that processes source code and pull request data from GitHub. Our customers trust us with their source code, and we treat that trust as our highest obligation.

For questions or concerns, contact us at security@stagereview.app.

Stage uses GitHub OAuth as the sole authentication provider. We do not store passwords. User sessions are managed with encrypted cookies, and session tokens are opaque and non-guessable.

GitHub OAuth tokens are encrypted before storage in our database. We request only the minimum GitHub scopes required to provide our service.

Multi-factor authentication (MFA) is governed by your GitHub account and organization settings. We strongly recommend enabling MFA on your GitHub account.

All API endpoints enforce authentication and authorization. Every request that accesses repository data verifies that the requesting user is a member of the owning organization and that the repository is actively connected. Organization data is strictly isolated — users can only access repositories belonging to organizations they are a member of.

Encryption

All data in transit is encrypted using TLS 1.2 or higher. All data at rest is encrypted using AES-256 encryption provided by our database infrastructure. OAuth tokens receive an additional layer of application-level encryption before storage.

Infrastructure

Stage is hosted on Vercel (AWS infrastructure) with a PostgreSQL database on Neon. Both providers maintain SOC 2 Type II compliance. All secrets and credentials are stored as encrypted environment variables and are never committed to source control.

What We Store

• Account data: name, email, and profile image from your GitHub account
• GitHub data: repository metadata and pull request identifiers (numbers, commit SHAs) for repositories you explicitly authorize
• AI-generated content: review summaries and chapter narratives generated from your pull requests
• Payment data: Stripe customer and subscription identifiers only — we never store credit card numbers

What We Do Not Store

• Passwords (GitHub OAuth only)
• Credit card numbers or banking details (handled entirely by Stripe)
• Source code or diffs (code is fetched from GitHub, processed in memory, and discarded after AI analysis)

Stage uses AI models via an API gateway to generate code review content. We use Google Gemini, Anthropic Claude, and OpenAI. When processing a pull request, we send code diffs and PR metadata (title and description) to the AI provider. We do not send authentication tokens, email addresses, organization secrets, or payment information to any AI provider.

None of our AI providers use data sent via their APIs to train models. See their privacy policies for details.

Sub-Processors

• Google — AI model provider (Gemini)
• Anthropic — AI model provider (Claude)
• OpenAI — AI model provider
• Vercel — Application hosting
• Neon — Database hosting
• Stripe — Payment processing
• Sentry — Error monitoring
• PostHog — Product analytics
• Resend — Transactional email
• Upstash — Redis caching
• Inngest — Durable function execution

To delete your account and all associated data, contact us at founders@stagereview.app. We will process your request and confirm deletion within 30 days. This includes your profile information, OAuth tokens, repository data, and all AI-generated content.

We do not store source code or diffs. Code is fetched from GitHub on demand, processed in memory during AI analysis, and discarded. Only AI-generated narratives and file/line references are persisted.

We use Sentry for real-time error monitoring and alerting across our application. All incoming GitHub webhooks are verified using HMAC-SHA256 signature validation. API inputs are validated at the handler level before any business logic executes.

If we identify a security breach affecting your data, we will notify impacted users within 72 hours with details of the incident, the data involved, and the steps we are taking to remediate it.

Access to production infrastructure and customer data is restricted to the minimum number of personnel required to operate the service. All production access requires authenticated sessions and is logged.

We do not access customer repositories or source code unless explicitly requested for support purposes. Our application processes code programmatically — no human reads your source code during normal operation.

If you discover a security vulnerability in Stage, please report it to security@stagereview.app. We will acknowledge your report within 5 business days. We ask that you give us reasonable time to address the issue before public disclosure. We do not pursue legal action against researchers who report vulnerabilities in good faith.

Stage does not currently hold formal security certifications. Our infrastructure providers (Vercel and Neon) maintain SOC 2 Type II compliance. If you have specific compliance requirements, contact us at founders@stagereview.app and we will work with you to address them.

Security inquiries: security@stagereview.app