Security and trust
Security & Trust
difflore handles your team's pull request review comments — code snippets, architectural discussions, and reviewer reasoning that are often more sensitive than the source itself. This page describes exactly what we collect, where it goes, what we never do with it, and how to delete it.
Effective 2026-04-28 · Last updated 2026-04-28
We never use your data to train AI models.
We never sell or share your data with third parties
We never proxy LLM calls when you BYOK.
Reporting concerns
hello@difflore.dev . We respond within 48 hours.
PR review comments, PR metadata, extracted rule candidates, rule embeddings, and operational logs. We do not clone or persist repository contents outside the reviewed snippets.
Anthropic/OpenAI/Voyage for inference and embeddings, Neon for storage, Stripe for billing, and Cloudflare for request metadata.
Export from Settings, delete review data from Settings, disable ingest by uninstalling the GitHub app, or use BYOK for model calls.
Raw PR comments default to 12 months on Free/Pro, 24 months on Team unless changed, and contract terms on Enterprise.
What we store
When you connect a GitHub repository through the difflore Cloud GitHub App, we receive and persist:
- PR review comments (
pr_review_comments.body) including code snippets the reviewer quoted - PR metadata: title, author, base/head SHA, file paths touched, merge state — but not full repository snapshots
- Extracted rule candidates: structured rules our pipeline derives from the comments (
candidate_rules) - Embedding vectors of those rules (
memory_nodes) — vectors only, not the original code - Operational logs: webhook delivery records, request timestamps, rate limit counters
We do not clone, scan, or persist your repository contents outside the scope of received PR review comments and the file paths those comments reference.
What we never do
- We never use your data to train AI models. Not our own, not our subprocessors'. This is contractual with Anthropic, OpenAI, and Voyage through their API terms, and reinforced in our own ToS.
- We never sell or share your data with third parties beyond the named subprocessors below.
- We never proxy LLM calls when you BYOK. When you provide an Anthropic or OpenAI API key, our worker authenticates directly to that provider with your key. The only thing we see is the prompt and response in transit; nothing is retained on our infrastructure beyond the structured extraction output.
Subprocessors
| Subprocessor | Purpose | Data exposed |
|---|---|---|
| Anthropic | LLM inference (when BYOK uses Anthropic, or under platform-included quota) | Prompts and responses for extraction + critique |
| OpenAI | LLM inference (when BYOK uses OpenAI) | Prompts and responses for extraction + critique |
| Voyage AI | Embedding generation for managed /api/embeddings endpoint | Rule text only (not raw PR comments) |
| Neon (US-East) | Postgres host | All persisted data, encrypted at rest |
| Stripe | Billing | Customer email, plan, usage records (no code data) |
| Cloudflare | Edge & DNS | Request metadata only |
We notify customers in advance of any subprocessor changes via the email on file. To subscribe to subprocessor change notices independently, email hello@difflore.dev.
Data flow
For a PR ingestion event under platform-included quota (Pro/Team):
GitHub PR comment → difflore Cloud webhook (encrypted in transit, TLS 1.3) → pr_review_comments table (encrypted at rest, Neon-managed) → review-extractor worker reads comment → Anthropic API (HTTPS, no retention by Anthropic per zero-data-retention terms) → extraction response written to candidate_rules → embedding sent to Voyage (HTTPS, no retention) → vector written to memory_nodes
For a BYOK customer the LLM call uses the customer's key against their own provider account; the prompt + response still passes through our worker but is not persisted beyond the extraction output.
Retention defaults
| Plan | Default retention for raw PR comments |
|---|---|
| Free | 12 months rolling |
| Pro | 12 months rolling |
| Team | 24 months, configurable in Settings |
| Enterprise | Per contract (down to ephemeral / extract-and-discard) |
Retention applies to raw comment bodies. Extracted rules and rule candidates are kept indefinitely as they form your team's accumulated review memory — but you can delete them at any time (see below).
Your controls
- Export:
Email hello@difflore.devand we will provide a copy of the PR comments, candidate rules, and embeddings tied to your account (supporting your GDPR Article 20 portability right). Self-serve in-app export is on the roadmap. - Delete:
Settings → Account → Delete all my PR dataimmediately removes rows frompr_reviews,pr_review_comments,candidate_rules, andmemory_nodesfor your account. Irreversible. - Disable ingestion: uninstalling the difflore GitHub App from a repository stops new ingestion immediately. Historical data is retained per the schedule above unless explicitly deleted.
- BYOK opt-in: switching to BYOK stops platform-funded inference. The prompt still passes through our worker but the inference billing is now on your account, not ours.
Encryption
- In transit: TLS 1.3 for all customer-facing endpoints; TLS (Neon-managed) for internal worker → DB connections.
- At rest: Neon transparent encryption (AES-256) for all persisted data. Application-level encryption for sensitive fields like
userSync.settings.llmApiKey(BYOK keys) using AES-256-GCM with per-record IV.
A separate hardening track will extend application-level encryption to pr_review_comments.body for Team and Enterprise plans. Until that ships, raw comment bodies are protected by Neon's transparent at-rest encryption only.
Incident response
In the event of a security incident affecting customer data, we commit to:
- Notify affected customers within 72 hours of confirmation.
- Publish a public post-mortem within 30 days of resolution.
- Coordinate disclosure with security researchers via hello@difflore.dev.
Compliance roadmap
| Item | Status |
|---|---|
| ToS, Privacy Policy, this Security page | published |
| Subprocessor disclosure & change notice | published |
| Customer-initiated data delete (self-serve); export via email | published |
| Application-level encryption for raw PR comments | in progress (2026-Q3) |
| SOC 2 Type I | planned (2026-Q4 — gated by Enterprise demand) |
| SOC 2 Type II | planned (2027-Q2) |
| Self-hosted / private deployment | available on Enterprise contract |
We do not advertise compliance certifications we do not yet hold. If a status above moves from planned to published, this page is updated and existing contracts are notified.
Reporting concerns
Security researchers, compliance contacts, and customers with questions should email hello@difflore.dev . We respond within 48 hours.
For data subject access requests under GDPR / CCPA / similar regimes, the self-serve Settings → Account → Delete all my PR data controls are usually the fastest path. Email us if you need a non-self-serve path.