Security

Last updated: April 2026

MatrixReview reviews your pull requests against your own documentation, security policies, and style guides. We take the security of your code and data seriously. This page describes the technical and organizational controls we have in place.

What We Access

When you install MatrixReview on a GitHub repository, we access two things: your repository's documentation files (scanned once during setup) and pull request diffs (read each time a PR is opened or updated). We do not access your full source code, commit history, issues, wikis, or any other repository data beyond what is needed to perform the review.

What We Store

Documentation content you upload or that we scan from your repo. This powers the review knowledge base. You can view, edit, and delete documents at any time from the dashboard.
Review findings including gate results, confidence labels, and traffic light outcomes. These are metadata about the review, not your source code.
Dependency graph metadata showing file relationships, import chains, and security tags. This is structural data (file paths, line counts, import edges), not code content.

What We Do Not Store

Your source code. Repository clones are created in temporary directories during graph building and deleted immediately after processing.
PR diffs beyond 30 days. Diffs are retained temporarily for fix generation, then automatically purged from both disk and database.
Credentials or tokens. GitHub installation tokens are short-lived (1 hour), generated via JWT, and never written to disk.

Security Controls

[ACTIVE]

Encryption at Rest

Database encrypted with SQLCipher (AES-256). Raw disk access yields unreadable data without the encryption key.

[ACTIVE]

Encryption in Transit

All communications over HTTPS/TLS. No plaintext endpoints. API calls to LLM providers are encrypted.

[ACTIVE]

Webhook Verification

All inbound GitHub webhooks are verified using HMAC SHA-256 signature validation before processing.

[ACTIVE]

Audit Logging

Append-only audit trail records all data access, mutations, deletions, and exports with timestamps and actor identification.

[ACTIVE]

Data Isolation

All database queries, API endpoints, and file storage are scoped by company identifier. No cross-tenant data access is possible.

[ACTIVE]

Automatic Data Purge

PR diff data is automatically purged after 30 days. Review metadata (findings, scores) is retained for dashboard history.

[ACTIVE]

Data Deletion on Request

Full GDPR-compliant data deletion. All documents, reviews, findings, embeddings, and graph data can be permanently erased on request.

[ACTIVE]

Data Export

Complete data portability. Export all your documents, reviews, and findings in a standard JSON format at any time.

Infrastructure

MatrixReview runs on Railway (United States, us-west1). The application runs in isolated containers with no shared resources between customers. The persistent volume storing the encrypted database is not accessible from the public internet. There are no open ports beyond the application's HTTPS endpoint. SSH access is limited to the founder via Railway's authenticated CLI.

AI and LLM Processing

PR diffs and document chunks are sent to AI providers for analysis during the review process. These transmissions occur over HTTPS. The AI providers do not store your data beyond the duration of the API call per their respective terms of service.

DeepSeek processes PR diff excerpts and document chunks during review (Pass 1 and Pass 2).
Anthropic processes documents during classification and setup.

Your source code is never sent to any AI provider. Only PR diff excerpts and relevant documentation chunks are transmitted.

Subprocessors

The following third-party services process data on behalf of MatrixReview customers.

Provider	Purpose	Data	Location
Railway	Hosting, compute, storage	Encrypted database, graph metadata	US
GitHub	Webhooks, PR comments, OAuth	Repository metadata, PR diffs (transient)	US
DeepSeek	LLM inference for PR review	PR diff excerpts (transient)	China
Anthropic	Document classification	Document content during setup	US
GitHub Pages	Static website hosting	No customer data	US (CDN)

We will notify customers at least 30 days before adding a new subprocessor that handles customer data.

GDPR

MatrixReview is committed to GDPR compliance. We maintain the following:

Right to erasure: Full data deletion endpoint wipes all documents, reviews, findings, embeddings, graph data, and user records.
Right to portability: Data export endpoint provides a complete JSON dump of all your data.
Records of processing: Documented per GDPR Article 30, covering all processing activities with legal basis, recipients, and retention periods.
Data Processing Agreement: Available on request for customers requiring a formal DPA.
Breach notification: Incident response plan with 72-hour notification commitment per Article 33.
Data minimization: We store only what is necessary to provide the service. Source code is never persisted. PR diffs are purged after 30 days.

SOC 2

MatrixReview has implemented all technical and organizational controls required for SOC 2 Type I certification under the Security Trust Services Criterion:

Risk assessment: Formal risk register with 10 identified risks, controls, and residual risk ratings. Reviewed quarterly.
Incident response: Documented plan with severity levels, response phases, evidence preservation, and post-mortem procedures.
Access control: Principle of least privilege. Infrastructure access limited to the founder. All secrets in encrypted environment variables, never in code.
Encryption: AES-256 at rest (SQLCipher), TLS in transit.
Audit trail: Append-only log of all data operations.
Change management: All changes deployed through Git with full commit history. No manual production modifications.
Data retention: Automated 30-day purge of sensitive data. Indefinite retention of non-sensitive review metadata.

A note on certification.

MatrixReview is a bootstrapped, founder-funded startup. We have implemented every technical and organizational control that SOC 2 and GDPR require. We maintain formal risk assessments, incident response plans, data processing agreements, and complete records of processing activities.

We have not yet undergone a formal SOC 2 audit ($20,000-50,000+) Formal certification will be pursued as the company scales. In the meantime, we are happy to walk through our controls, share our security documentation, and answer any questions about how we protect your data.

Contact admin@matrixreview.io for security documentation, our DPA, or to schedule a security review call.

Responsible Disclosure

If you discover a security vulnerability in MatrixReview, please report it to admin@matrixreview.io. We ask that you give us reasonable time to address the issue before public disclosure.

Contact

For security questions, data deletion requests, DPA inquiries, or to report a vulnerability: admin@matrixreview.io