Security

How GitVelocity Protects Your Credentials

GitVelocity integrates with GitHub, Bitbucket, and Anthropic. All credentials are encrypted at rest and decrypted only in memory at the moment of use.

Your Data Stays Yours

GitVelocity is built by Headline, a venture capital firm. We do not sell your data, monetize usage analytics, or operate any commercial side business around GitVelocity. Our limited partner agreements prohibit us from running commercial ventures outside of our core investment activity. Data monetization is structurally excluded from our operations.

We only read the diff of each merged pull request -- the same content you would see in a code review. We do not clone your repositories, build a graph of your source code, or retain diffs after scoring. The only things stored are the score, its dimensional breakdown, and a brief rationale. Your source code is processed and immediately discarded.

Encryption at Rest

  • AES-256-GCM authenticated encryption (protects confidentiality and detects tampering)
  • Unique random salt and initialization vector per credential
  • Scrypt key derivation (N=16384, r=8, p=1) makes brute-force impractical
  • Encryption keys stored as environment secrets, never in the database

Version Control Provider Tokens

GitHub

  • GitHub App model: no user OAuth tokens stored
  • Short-lived installation tokens generated on demand by GitHub's API
  • Tokens expire automatically and are never persisted

Bitbucket

  • OAuth tokens encrypted immediately after authorization
  • Short-lived access tokens with automatic refresh before expiry
  • Each refresh produces new encrypted credentials; old values replaced
  • Plaintext tokens exist only briefly in server memory during API calls

AI API Keys

  • Your Anthropic API key is encrypted with AES-256-GCM before storage
  • Only the last four characters are stored separately for identification
  • The full key is never returned through the API or displayed in the UI
  • Keys can be removed at any time from organization settings
  • Key validation uses a lightweight API call that does not consume significant quota
  • All API key operations (set, remove, validation failures) are recorded in an audit log with timestamp, user, and IP address

Authentication and Access Control

  • User authentication via Auth0 with RS256-signed JWT tokens
  • JSON Web Key Set (JWKS) validation with automatic key rotation
  • Role-based organization membership: owner, admin, and member roles
  • Organization-scoped access ensures users only see their own data
  • Rate limiting on sensitive endpoints to prevent abuse

Webhook Verification

  • Every incoming webhook from GitHub and Bitbucket is signed with HMAC SHA-256
  • Signatures verified using constant-time comparison to prevent timing attacks
  • Webhooks with missing or invalid signatures are rejected immediately

Your Control

  • Revoke GitHub access anytime from GitHub Settings > Applications
  • Revoke Bitbucket access anytime from your Bitbucket workspace settings
  • Remove your Anthropic API key from GitVelocity organization settings
  • All associated tokens are invalidated immediately upon revocation

Communication Security

  • All API traffic between GitVelocity, your browser, and third-party providers travels over HTTPS/TLS
  • Credentials are never transmitted in URLs or query parameters

Compliance

GitVelocity operates in both the US and Europe. We hold ourselves to European regulatory standards. We follow CIS benchmarks, conduct regular penetration testing, and are compliant with GDPR and the EU Digital Operational Resilience Act (DORA).

Questions

For security questions or to report a vulnerability, contact support@headline.com.