Security & Data Privacy

ShipRelay is built with security as a priority. Here's how we protect your data.

Authentication

  • GitHub OAuth with read-only repository access
  • Session management via NextAuth.js (secure HTTP-only cookies)
  • No passwords stored — GitHub handles authentication

Encryption

  • GitHub OAuth tokens encrypted at rest using AES-256-GCM
  • Encryption key derived from server-side secret via SHA-256
  • All traffic served over HTTPS (enforced by Vercel)

Data isolation

  • Row-level security (RLS) enforced on every database table
  • Users can only access their own data — enforced at the database level, not just the application layer
  • Analytics data is visible only to the repository owner

AI processing

  • Only commit messages and PR descriptions are sent to Anthropic's Claude API
  • Source code is never sent to any AI model
  • Anthropic does not train on data sent via their API
  • AI processing is stateless — no conversation history is retained

Payment security

  • Payments processed entirely by Stripe — no card data touches ShipRelay servers
  • Stripe webhook signatures verified on every event using HMAC-SHA256

Widget privacy

  • The in-app widget uses anonymous session IDs via localStorage — no cookies
  • No personally identifiable information is collected from widget viewers
  • Invalid API keys fail silently — no information is leaked to the host page

Email compliance

  • Double opt-in confirmation for all subscribers
  • One-click unsubscribe in every email (CAN-SPAM, PIPEDA, GDPR)
  • Subscriber data deletion available on request
  • All emails sent via Resend with verified domain (DKIM + SPF)

Infrastructure

ShipRelay is built with Next.js and TypeScript, hosted on Vercel, with Supabase (managed Postgres) for data storage and Sentry for error monitoring.

  • Hosted on Vercel (edge network, automatic failover)
  • Database on Supabase (managed Postgres with automated backups)
  • Error monitoring via Sentry (PII redacted)

Responsible disclosure

If you discover a security vulnerability, please email security@shiprelay.io. We take all reports seriously and will respond within 48 hours.

Previous
Account Deletion
Next
API Reference