We read your code to review it, and store none of it.
heygrc reviews pull requests for compliance, so the obvious question is what happens to the code it reads. The short answer: secrets are stripped first, the diff is processed transiently, and your source is never retained. heygrc is a product by ISMS Copilot and shares its security and legal posture.
Data handling, in plain terms.
- Secrets are stripped before review
Sensitive files (.env, keys, anything that looks like credentials) are dropped, and secret-shaped content (private-key blocks, API tokens) is redacted, before a diff is ever sent to the model.
- Your source is reviewed, not retained
The diff is processed transiently to produce the review. heygrc stores only the review it writes back (the summary and findings), never your source code or the raw diff.
- EU-hosted review
The review worker runs in the EU (Paris). The formal data-residency and transfer details are documented in the ISMS Copilot DPA.
- Vetted AI providers only
Reviews run on the same OpenRouter allowlist as ISMS Copilot: a closed set of vetted providers, each confirming zero retention and no training on your data, with PRC-jurisdiction providers blocked at the account level.
- Least-privilege by design
The GitHub App requests only the permissions it needs, API keys are stored as one-way hashes, and a key can only ever act on its own organization.
- It never blocks your merges
heygrc posts a neutral Checks status and comments. Findings are surfaced for you to weigh, not used as a gate on shipping.
The binding documents live on the ISMS Copilot trust center.
heygrc does not maintain a separate legal stack. The Terms, Privacy Policy, DPA, and subprocessor list that govern heygrc are the ISMS Copilot ones, kept in one place and versioned with a public change log.
- Terms of ServiceThe service agreement.
- Privacy PolicyWhat data is processed and why, including the full AI-provider posture.
- Data Processing AgreementProcessor terms, subprocessors, and transfer mechanisms.
- Register of Processing ActivitiesThe per-activity Article 30 processing inventory.
- Cookie PolicyHow the sites use cookies.
Questions a security review or vendor assessment did not answer here? The full trust center has the Transfer Impact Assessment, status page, and contact for security inquiries.