Security Policy

Services Used and Data Stored in them

We use OVH to run all of the Perfvane components and to store OAuth tokens and user data. We store data related to Perfvane, in anonymized form, with the following services:

  • Google Analytics to track visits to our website.

We reserve the right to change the services used to run Perfvane at any time. Our use of the above services is bound to their respective security precautions and their availability.

How does Perfvane access my GitHub account?

When you sign up for Perfvane, we collect an OAuth token from GitHub, which allows us to request data from the GitHub API on your behalf. This OAuth token is stored securely in our database and is protected from unauthorized access.

The token is bound to permissions set on GitHub, so please make sure you've read their documentation on access control and API access permissions.

We use this token in these situations, and under no other circumstances than described below.

  • To synchronize the repositories you have access to. We use this information to show you the available repositories so you can enable or disable analyzing them on Perfvane.

However, to allow us to automatically specify service hook configurations and commit status on your GitHub repositories, we have to request write access to them.

How does Perfvane authenticate access to a repository?

  • Public Repos are visible to all Users and Guests
  • Perfvane always uses the acting User's Token to make API requests to GitHub when navigating Perfvane

Does Perfvane store source code?

We do not store source code.

Does Perfvane ever clone the repository?

No, never. Perfvane uses API requests to retrieve information necessary to perform its job and never stores source code in the result of an API request.

When does Perfvane write to my repository?

The only times Perfvane will "write" to your repository is in the following processes:

  • Create/Update a Webhook;

Perfvane never adjusts source code, deletes branches, closes pull requests, or performs any other 'write' action.