Security & Privacy
At UnfoldCI, security and privacy are our highest priorities. We've designed our platform from the ground up to protect your code, data, and intellectual property while delivering powerful AI-driven test reliability insights.
Our Commitment
- ✅ No Code Storage — Your source code is never stored on our servers
- ✅ Minimal Data Access — We only fetch what's necessary for analysis
- ✅ Encrypted Transmission — All data transfers use TLS 1.3+
- ✅ Secure Authentication — GitHub OAuth and installation tokens only
- ✅ Data Retention Control — You control your data lifecycle
- ✅ SOC 2 Compliant Infrastructure — AWS cloud with enterprise security
What Data We Access
During Analysis
When UnfoldCI analyzes a flaky test, we temporarily access:
- Test File — Only the specific test file that's failing intermittently
- Imported Dependencies — Up to 5 files imported by the test (configurable)
- Test Outcomes — Pass/fail results from your CI runs (from JUnit XML)
Critical: We fetch these files only during active analysis and never store them on our servers.
What We DO Store
We store only the following minimal data:
| Data Type | What We Store | Why | Retention |
|---|---|---|---|
| Test Metadata | Test name, file path, language | Identify tests | Until repo uninstalled |
| Test Outcomes | Pass/fail history (last 100 runs) | Detect flaky patterns | Until repo uninstalled |
| AI Analysis Results | Root cause category, confidence score, suggested fix | Show insights in dashboard | Until repo uninstalled |
| GitHub Metadata | Repository URL, installation ID, user email | Link accounts | Until app uninstalled |
| Usage Metrics | API calls, analyses performed, PRs created | Billing and rate limiting | 12 months |
What We DO NOT Store
- ❌ Source Code — Never stored, only analyzed in-memory
- ❌ Secrets or Credentials — Never accessed
- ❌ Environment Variables — Never accessed
- ❌ Business Logic — Only test files during analysis
- ❌ Production Data — No access to your application data
- ❌ Test Inputs/Outputs — Only pass/fail status
- ❌ Code Diffs — Generated fix diffs are sent directly to GitHub, not stored
How AI Analysis Works (Security Perspective)
Step 1: Flaky Test Detection
- Data Used: Pass/fail outcomes from JUnit XML (already generated by your CI)
- Processing: Statistical analysis on our servers
- Code Access: None
Step 2: Root Cause Analysis (When Triggered)
-
Temporary Code Fetch:
- Fetch test file from GitHub (using installation token)
- Fetch up to 5 imported files (e.g., test helpers, utilities)
- Files fetched via GitHub API (secure, authenticated)
-
In-Memory Analysis:
- Code is sent to AI model (OpenAI or Anthropic)
- Analysis happens in-memory only
- AI identifies patterns (missing awaits, timing issues, etc.)
-
Result Storage:
- Only analysis result stored (category, confidence, explanation)
- Source code discarded immediately after analysis
- No code stored in database
-
AI Provider Security:
- OpenAI and Anthropic are SOC 2 Type II certified
- API calls are encrypted (TLS 1.3)
- Per their policies, they do not train models on API data
Step 3: Fix Generation (When PR is Created)
- Code Fetch: Same as analysis (temporary, in-memory)
- Fix Generation: AI generates unified diff format
- PR Creation: Diff pushed directly to GitHub via API
- No Storage: Diff is not stored on our servers
GitHub App Permissions
UnfoldCI requests only the minimum permissions required to function:
| Permission | Access Level | Why Required |
|---|---|---|
| Code | Read | Fetch test files for AI analysis |
| Pull Requests | Read & Write | Create fix PRs, add comments |
| Metadata | Read | Repository information (name, owner) |
| Workflows | Read | (Future) Automatic historical backfill |
| Checks | Read | (Future) Enhanced CI integration |
Note: We do NOT request access to:
- Issues
- Projects
- Wiki
- Deployments
- Webhooks (you configure our action manually)
Data Encryption
In Transit
- All API communications use TLS 1.3 with perfect forward secrecy
- GitHub API calls authenticated with time-limited installation tokens
- API keys use secure Bearer token authentication
At Rest
- Database: AWS RDS PostgreSQL with encryption at rest (AES-256)
- Backups: Encrypted with AWS KMS
- API Keys: Hashed using bcrypt before storage (never stored in plain text)
API Key Security
Best Practices
✅ DO:
- Store API keys in GitHub Secrets (never commit to code)
- Use organization secrets for multiple repos
- Rotate keys periodically (generate new key, update secret)
- Revoke keys immediately if exposed
❌ DON'T:
- Commit API keys to your repository
- Share keys via email or chat
- Use the same key across multiple organizations
- Store keys in plain text files
Key Format
API keys follow this format: unfold_ci_xxxxxxxxxxxxxxxx
- Prefix:
unfold_ci_for easy identification - Hashed Storage: Keys are bcrypt-hashed before storage
- Scope: Each key is tied to a specific GitHub App installation
Revocation
To revoke an API key:
- Go to Settings in the dashboard
- Click Revoke next to the key
- Generate a new key
- Update GitHub Secrets with the new key
Revoked keys stop working immediately.
Data Retention & Deletion
Automatic Retention
- Test Data: Retained while repository is monitored
- CI Runs: Last 100 runs per test (rolling window)
- Usage Metrics: 12 months for billing compliance
Uninstallation
When you uninstall the GitHub App:
- All repository data is immediately archived (soft delete)
- Active analyses are stopped
- API keys are invalidated
- No new data is collected
Permanent Deletion
Archived data is permanently deleted after 30 days. To request immediate deletion, email contact@unfoldci.com with your GitHub username and installation ID.
Third-Party Services
UnfoldCI uses these trusted third-party services:
| Service | Purpose | Data Shared | Compliance |
|---|---|---|---|
| GitHub | Authentication, code access | Repository metadata, user info | SOC 2, ISO 27001 |
| OpenAI | AI analysis & fix generation | Test code (in-memory only) | SOC 2 Type II |
| Anthropic | AI analysis (escalation) | Test code (in-memory only) | SOC 2 Type II |
| AWS | Infrastructure (API, database, queue) | All application data | SOC 2, ISO 27001, PCI DSS |
Note: Per OpenAI and Anthropic's API policies, data sent via API is:
- Not used for model training
- Not retained after processing
- Subject to their enterprise privacy agreements
Compliance & Certifications
Current Status
- ✅ AWS SOC 2 Type II Compliant Infrastructure
- ✅ GDPR-Ready (EU data subject rights supported)
- ✅ CCPA Compliant (California privacy rights honored)
- ✅ Secure Development Lifecycle (automated security scanning)
Enterprise Features
For enterprise inquiries, contact contact@unfoldci.com.
Vulnerability Disclosure
If you discover a security issue, please report it to contact@unfoldci.com with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
We will respond within 24 hours and work to address the issue promptly.
Privacy Policy Highlights
Data We Collect
- Account Data: GitHub username, email, avatar URL
- Repository Data: Repo name, URL, test metadata
- Test Results: Pass/fail outcomes, duration
- Usage Data: API calls, feature usage, billing events
Data We Don't Collect
- Source code (except temporarily during analysis)
- Personal information beyond GitHub profile
- Test inputs/outputs or production data
- Sensitive credentials or secrets
Your Rights
You have the right to:
- Access your data (export from dashboard)
- Rectify incorrect data (update in Settings)
- Delete your data (uninstall + request deletion)
- Port your data (API export or CSV download)
- Object to processing (uninstall the app)
For full privacy policy, visit: unfoldci.com/privacy
Security Best Practices for Users
1. Protect Your API Keys
# ✅ CORRECT: Store in GitHub Secrets
with:
api-key: ${{ secrets.FLAKY_AUTOPILOT_KEY }}
# ❌ WRONG: Never hardcode
with:
api-key: unfold_ci_abc123xyz # DO NOT DO THIS
2. Review AI-Generated PRs
Before merging AI-generated fix PRs:
- ✅ Review the code changes carefully
- ✅ Run tests locally to verify the fix
- ✅ Ensure the fix doesn't introduce new issues
- ✅ Check that no other tests are affected
3. Use Organization Secrets
For multiple repositories:
- Go to your GitHub organization → Settings → Secrets
- Create organization secret
FLAKY_AUTOPILOT_KEY - Select which repositories can access it
- All selected repos use the same secret (easier to rotate)
4. Monitor Repository Access
Regularly review which repositories UnfoldCI has access to:
- Go to GitHub → Settings → Applications → UnfoldCI
- Review repository list
- Remove access for repos you no longer want monitored
5. Rotate Keys Periodically
We recommend rotating API keys every 6 months:
- Generate new key in UnfoldCI dashboard
- Update GitHub secret
- Revoke old key
- Verify CI runs successfully
Frequently Asked Questions
Q: Does UnfoldCI see my entire codebase?
A: No. We only access specific test files (and their imports) when analyzing a flaky test. We never scan or access your entire repository.
Q: Is my code used to train AI models?
A: No. Per OpenAI and Anthropic's API policies, data sent via API is not used for model training. Code is analyzed in-memory and discarded immediately.
Q: What happens if UnfoldCI is breached?
A: We follow industry best practices to prevent breaches:
- Regular security audits
- Automated vulnerability scanning
- Encrypted data storage
- Minimal data retention
In the unlikely event of a breach, we would:
- Immediately notify affected users
- Provide details on impacted data
- Implement additional security measures
- Offer assistance (credit monitoring if applicable)
Q: Can I use UnfoldCI with private repositories?
A: Yes! UnfoldCI fully supports private repositories. GitHub installation tokens ensure secure, authorized access to your private code.
Q: Where is my data stored?
A: All data is stored in AWS us-east-1 (Virginia).
Q: How do I export my data?
A: Contact contact@unfoldci.com to request your data export.
Q: Does UnfoldCI comply with GDPR?
A: Yes. We honor GDPR data subject rights including access, rectification, deletion, and portability. Contact contact@unfoldci.com to exercise your rights.
Contact
For security, privacy, or general questions:
Email: contact@unfoldci.com
We aim to respond within 24 hours.
Last Updated: December 2024