litmusly
POLICY SECURITYUPDATED July 16, 2026SCOPE GITHUB APP + SERVICE

Security posture.

Exactly what Litmusly can access, why each GitHub permission exists, how your data is protected, and how to reach us about a vulnerability.

01
ACCESS MODEL

Litmusly never reads your source code

Reagents test the deployed PR preview in a browser — the same URL a human reviewer would open. The GitHub App does not request the contents permission, so it cannot read repository code, and it does not request issues, statuses, or checks. If an installation screen ever shows a permission not listed below, stop and contact us before approving.

02
PERMISSIONS

Every GitHub permission, justified

pull_requests · read + write

Read reads PR metadata — the target branch and head SHA that identify the preview. Write posts the single findings comment and edits it in place on later pushes.

deployments · read

Finds the Vercel preview deployment for the PR and polls until it is ready. Vercel's GitHub integration populates this API.

03
DATA PROTECTION

How stored data is handled

  • Webhook deliveries are verified with an HMAC SHA-256 signature before any processing.
  • GitHub access tokens are minted per installation, on demand, and expire after one hour. No long-lived repo token is stored.
  • Preview credentials you configure (Vercel bypass secrets, test login passwords) are encrypted at rest with AES-256-GCM. Test passwords are typed into the page deterministically and never pass through a language model.
  • API keys you bring (BYOK) are encrypted at rest with AES-256-GCM.
  • Walk artifacts — traces and screenshots of your preview — are retained to render run history and the PR comment.
04
COMPLIANCE

Certification status

Litmusly is not SOC 2 certified today, and we will not claim otherwise. The controls above are what actually runs in production. For GDPR questions — what we collect, retention, deletion requests — see the privacy policy or write to us.

05
DISCLOSURE

Reporting a vulnerability

Found a security issue? Email hello@litmusly.com with SECURITYin the subject line. Include steps to reproduce and the impact you observed. Please test only against your own installations and data — never other customers’.