Security & Privacy

Your data is yours.
We take that seriously.

Exodocs connects to your code repositories, documentation hub, and notification channels. Here is exactly what we access, how we protect it, and what we never do.

Last updated April 2026 — reflects current production implementation

On this page What we access Encryption Data handling Access control Infrastructure Sub-processors Disclosure

Encrypted at rest

Your integration credentials are encrypted in our database using AES-256 column-level encryption. A database dump reveals only ciphertext.

Read-only access only

Exodocs never writes to your repositories or documentation pages (unless you explicitly enable inline annotations). We only read what we need to compute freshness scores.

No code stored

We never store your source code. We store file paths and commit metadata only. Git diffs are fetched temporarily for AI analysis and never persisted to our database.

01

What Exodocs accesses

Exodocs connects to three categories of external service on your behalf: your code repository, your documentation hub, and your notification channel. Here is the precise scope of what we access in each — nothing more.

Code repository — webhook events + read-only API
We receive push events via webhook (file paths changed, commit SHA, author, message). We read commit metadata and the repository file tree via the provider's API. We optionally fetch commit diffs for AI drift analysis. We never write to your repositories. We never read file contents — only file paths.
Documentation hub — read-only page access
We use an integration token that you create and scope yourself within your documentation platform. We read the title, last-edited timestamp, and block content of pages you explicitly share with the integration. We only see pages you choose to connect. We never access your workspace broadly. Optionally, with your permission, we post drift alert annotations on specific pages.
Notification channel — outbound alerts only
We use an incoming webhook URL to post alert messages to a channel you specify. This is a strictly one-way channel — we can only post messages. We cannot read your channel messages, access your workspace, or post to any channel other than the one the webhook is configured for.
02

Encryption

We apply encryption at multiple layers. All network traffic uses TLS. All integration credentials use column-level database encryption, which provides stronger guarantees than disk-level encryption alone.

Credentials encrypted at rest — AES-256
Your integration credentials — documentation tokens, repository access tokens, and notification webhook URLs — are encrypted using AES-256-GCM before being written to our database. Even Exodocs engineers with direct database access cannot read your credentials in plaintext. Encryption keys are stored separately from the database.
TLS 1.2+ in transit — everywhere
All traffic between your browser and Exodocs, and between Exodocs and your connected services, is encrypted with TLS 1.2 or higher. HTTPS is enforced — plain HTTP is rejected. SSL certificates are provisioned automatically and renewed before expiry.
Incoming webhooks — HMAC-SHA256 verified
Every incoming webhook payload is verified using HMAC-SHA256 before it is processed. Payloads with an invalid or missing signature are rejected immediately with a 401 Unauthorized response. This prevents spoofed webhook events from affecting your freshness scores.
03

What data we store — and what we don't

We store the minimum data needed to compute documentation freshness. We have made deliberate technical decisions to avoid storing sensitive information.

Data Stored? Details
Documentation page title ✅ Yes Cached title used for alert messages and the dashboard. Refreshed on sync.
Documentation page last-edited timestamp ✅ Yes Used to detect when a human has updated the document and reset the freshness score.
Documentation page content (text) ⏱ Cached 24h Plain text extracted from page blocks is cached for AI analysis. It is never written to our persistent database and expires after 24 hours.
Commit SHA, message, author ✅ Yes Stored to power the staleness event log and alert messages.
GitHub changed file paths ✅ Yes Stored as a JSON array. Used to match commits against your page-code mappings.
Repository file tree ⏱ Cached 24h Repository file tree cached for AI mapping suggestions. Never stored in persistent database.
Git diff / source code ❌ Never Diffs are fetched temporarily for AI drift analysis and discarded immediately. They are never written to disk or database.
File contents ❌ Never We store file paths only, never file contents. Exodocs does not index or read your source code.
Your integration credentials ✅ Encrypted Stored in AES-256 encrypted columns. Never logged, never sent to third parties, never visible in plaintext to any Exodocs team member.
Notification channel messages ❌ Never We post alerts to your notification channel via an outbound webhook. We have no ability to read your channel messages.
Data deletion: When you remove a documentation page or disconnect an integration, the associated data is deleted immediately from our database. When you close your account, all your organisation's data is permanently deleted within 30 days.
04

Access control & permissions

Exodocs uses role-based access control within every organisation. Your data is isolated at the database level — no organisation can access another's data by design, not just by policy.

Owner

Organisation owner

Full control. Manages integrations, billing settings, invites members, can delete the organisation.

Admin

Organisation admin

Manages pages, repos, and mappings. Can update integration settings. Cannot manage billing or delete the org.

Member

Member

Read access to the dashboard and staleness events. Cannot change settings or manage mappings.

Row-level tenant isolation
Every database query is scoped through the organisation. It is not possible for one organisation's users to access another organisation's pages, repos, or events — even if they share the same Exodocs account. Isolation is enforced in application code on every request, not just by convention.
Invite-only team access
New members join an organisation only by invitation from an owner or admin. Invitations expire after 7 days. There is no self-service way to join an existing organisation — access must be explicitly granted.
Exodocs admin access — logged and limited
Exodocs internal team members with admin access can view organisation metadata (name, member count, plan) for support purposes. They cannot view your integration tokens in plaintext — tokens are encrypted and only decrypted server-side when making API calls on your behalf. Admin access events are logged.
Account lockout protection
Accounts are locked after 10 consecutive failed sign-in attempts. Locked accounts receive an unlock email — brute force attacks are blocked at the application level before reaching any data.
05

Infrastructure & availability

Exodocs is hosted on managed infrastructure with automated backups, monitoring, and zero-downtime deployments. We do not manage physical servers.

Application hosting — managed cloud platform
Exodocs runs on managed cloud infrastructure in the United States. The platform handles OS patching, hardware maintenance, and TLS certificate renewal automatically. We do not manage physical servers.
Database — managed with automated backups
Persistent data is stored in a managed relational database with daily automated backups. Backups are retained for 7 days. Point-in-time recovery is available on paid tiers.
Cache layer — ephemeral, never persistent
An in-memory cache layer is used exclusively for short-lived data: documentation page content (24h TTL), repository file trees (24h TTL), and background job queues. No persistent customer data is stored in the cache. Cache data is lost on restart without any impact on application correctness.
Zero-downtime deployments
Application updates are deployed with zero-downtime rolling restarts. Database migrations that require locking are applied during low-traffic windows. We aim for 99.9% monthly availability for paying customers.
06

Sub-processors

These are the third-party services that may process your data as part of the Exodocs service. We select sub-processors carefully and require that they maintain appropriate security standards.

Service Purpose Data processed Location
Railway / Render Application hosting & database All application data including encrypted credentials USA
Upstash Redis Ephemeral caching Documentation page content (24h TTL), repository file trees (24h TTL) USA
Anthropic AI drift analysis & mapping suggestions Commit messages, file paths, documentation page text (where AI features are enabled) USA
GitHub Code repository webhooks & API Commit events, file trees, diffs (read-only, where connected) USA
Notion Documentation hub reads Page titles, timestamps, block content of connected pages (where connected) USA
Slack Outbound alert delivery Alert message content posted to your designated channel (where connected) USA
Note on AI processing: When AI features generate drift summaries or mapping suggestions, commit messages, file paths, and documentation page text are sent to our AI provider (Anthropic) for processing. Our AI provider does not use submitted data to train models by default. You can disable all AI features in your organisation settings at any time.
07

Responsible disclosure

We take security reports seriously and respond quickly. If you discover a vulnerability in Exodocs, please tell us privately before disclosing it publicly — we will work with you to fix it.

Our commitments to you:
We will acknowledge your report within 48 hours.
We will keep you informed of progress as we investigate.
We will not take legal action against researchers acting in good faith.
We will credit you (with your permission) when we disclose the fix.

Found something?

Email us with a description of the issue, steps to reproduce, and any relevant evidence. We respond within 48 hours.

security@exodocs.dev

We do not currently operate a paid bug bounty programme. We appreciate responsible disclosures and will acknowledge your contribution publicly if you would like that.

Please do not test against other customers' accounts or data. If you need a test environment, contact us and we will provide one.