Security at AutomaDocs
Below is how the product is built today: hosting, transport, access control, and how your data is scoped. For legal terms, see the Privacy Policy.
Infrastructure Security
The web app is deployed on Vercel; the API and workers run on Railway. Encryption at rest and network protections depend on those providers and our database host - see their documentation for details.
- ✓HTTPS (TLS) between browsers and our services
- ✓The public codebase runs scheduled CI checks including Semgrep and TruffleHog (see
.github/workflows)
Data scoping
AutomaDocs is a multi-tenant service: shared application processes serve many customers. Access is enforced in application code, not by separate physical servers per customer.
- ✓API routes check authentication and ownership (for example, repositories are loaded with
user_idconstraints) - ✓Pinecone searches filter vectors by repository metadata (
repoId); the index is not split per customer by namespace - ✓Optional audit log entries for sensitive actions where that feature is used
Authentication & Access
GitHub OAuth (and optional Google where enabled); JWTs issued by the API.
- ✓GitHub OAuth; Google OAuth where configured
- ✓JWT access tokens default to a 7-day expiry (see backend
generateToken) with refresh in the web app - ✓HTTP-only cookies prevent XSS token theft
- ✓CSRF protection on all state-changing operations
- ✓SSO-related routes exist for supported plans when configured
Code Security
Your code is accessed only with your explicit permission.
- ✓Repository access requires explicit user authorization
- ✓GitHub tokens can be stored encrypted when
TOKEN_ENCRYPTION_KEYis set - ✓Webhook signatures validated on every request (SHA-256 HMAC)
- ✓Rate limiting prevents abuse and brute force attacks
- ✓Generated documentation and derived embeddings are stored so search and docs work; see Privacy Policy for retention
Compliance & Privacy
Legal details are in the Privacy Policy and Terms. We do not claim a specific third-party certification (for example SOC 2) for the AutomaDocs product unless we publish an attestation.
- ✓Privacy Policy describes processing, subprocessors, and contact for requests
- ✓We do not sell personal data or source code to third parties
- ✓Docker Compose and setup scripts in the repository support self-hosting your own stack; managed cloud remains the default
Responsible Disclosure
Reports are read by humans; timelines depend on severity and capacity.
If you discover a security vulnerability in AutomaDocs, please report it responsibly. We aim to acknowledge valid reports and coordinate fixes without blaming good-faith researchers.
- • Credit in acknowledgments if you want it
- • No legal threats against good-faith research as described in the report
Contact: security@automadocs.ai
Please include detailed steps to reproduce the vulnerability and any relevant proof-of-concept code.