We never see your code.
Your jobs run in isolated microVMs on dedicated bare metal. Every token is scoped. Every microVM is destroyed when the job ends.
- SOC 2 in progress
- ISO/IEC 27001:2022 data centers
- Quarterly pen testing
- GitHub SSO only
Job security
Every job is isolated. Every token expires.
Job isolation
Every job runs in a secure, isolated Firecracker microVM on bare metal, protected by a private VPN. When the job completes, the microVM is destroyed along with all its state. Jobs never share kernels.
JIT tokens
For each job, we mint a just-in-time (JIT) token — scoped to that job, expires after one hour. Our GitHub integration has no ability to directly access organization or repository-level secrets.
Cache security
Artifacts cached on Cloudflare R2, co-located on the same bare-metal fleet. Access is authenticated and audited. Data is encrypted and isolated by organization.
Login & access
Login is exclusively through GitHub SSO. Once integrated, GitHub forwards job requests to us — we never initiate access to your repositories.
Compliance
SOC 2 in progress. Hardware runs on ISO/IEC 27001:2022 certified data centers. We answer security questionnaires. We pay hackers to pen test our system every quarter.
GitHub App
Exactly what we ask for — and why.
| Permission | Reason |
|---|---|
| Read access to members and metadata | To list users in our settings page |
| Read and write access to actions, code, pull requests, and workflows | For our migration wizard to make a pull request with all the required code changes |
| Read and write access to organization self-hosted runners | To mint just-in-time (JIT) tokens and enable our managed runners to run your jobs |
Have a security questionnaire? We'll fill it out.
Contact our security team