Privacy & Security
We built Concordance for engineering teams who care about their craft. We treat your data with the same rigor we expect from the tools we use ourselves.
What we access
Concordance requests read-only access to your repositories. We analyze metadata and configuration — not your source code.
✓
Branch protection rules— Are reviews required? Is force-push blocked?
✓
Pull request metadata— PR count, review comments, merge patterns, turnaround time
✓
Commit history (metadata only)— Commit messages, authors, frequency — not file diffs
✓
CI/CD workflow files— GitHub Actions YAML to detect testing, linting, security scanning
✓
Release tags and notes— Versioning patterns, release cadence, changelog quality
✓
Repository files (select)— README, CONTRIBUTING, CODEOWNERS, SECURITY.md, /docs, LICENSE, CHANGELOG
✓
Issue labels— Bug, incident, postmortem labels for operations scoring
Linear integration
When you connect Linear, Concordance requests read-only access to your workspace. We analyze issue and project metadata to score requirements and design standards.
✓
Issues and labels— Issue status, labels, priority, estimates — for requirements and backlog scoring
✓
Cycles (sprints)— Cycle length, completion rates, rollover patterns — for sprint planning scoring
✓
Projects— Project structure and progress — for traceability and roadmap scoring
✓
Team membership— Team structure — used to map Linear teams to Concordance assessments
✓
Documents (metadata only)— Document titles and timestamps — for design docs and ADR scoring. We never read document content
What we never do
✗
Read or store your source code— We never clone repos or read file contents beyond the config files listed above
✗
Modify anything in your repositories— All access is read-only. We cannot push commits, merge PRs, or change settings
✗
Access private credentials or secrets— We scan for the presence of secret scanning tools — not the secrets themselves
✗
Share your data with third parties— Your assessment data is yours. We never sell, share, or use it for training
✗
Store raw API responses— We extract scores and evidence summaries, then discard the raw data
✗
Run code or execute workflows— We read workflow definitions to understand your CI/CD setup. We never trigger them
What we store
Your profile
GitHub username, email, avatar — used for authentication
OAuth tokens
Encrypted at rest with AES-256. Used to authenticate API requests
Assessment scores
50 scores (1-5) with evidence summaries per team per scan
Audit logs
Login events, scan triggers, and team changes for your security
Infrastructure
Hosting
Vercel (SOC 2 Type II compliant)
Database
Supabase (PostgreSQL, SOC 2 Type II compliant)
Authentication
GitHub OAuth via registered GitHub App
Encryption
TLS in transit, AES-256 for stored tokens
Revoking access
You can uninstall the Concordance SDLC GitHub App at any time from your GitHub settings. This immediately revokes all access. Your assessment data will remain in your account until you choose to delete it. To delete your account and all associated data, contact us.
Questions?
Reach out anytime — hello@concordancelabs.com