How cubic keeps your code and data safe
cubic is built by developers, for developers. We understand that your source code is your most valuable asset, so we designed our systems with security and privacy as a first-principle—not an afterthought.
cubic is committed to achieving SOC 2 Type II compliance to provide the highest level of security and trust for our customers. We are actively working towards this certification and have implemented many of the required controls internally (such as change management, access management, and vulnerability management). We will update this page and proactively notify customers as we progress through the formal audit process.
Granting the following scopes allows cubic to read pull-requests, leave review comments, and update PR status checks.
Scope | Access | Why we need it |
---|---|---|
Administration | Read-only | Access repository settings and organization information |
Actions | Read & write | Manage GitHub Actions workflows and runs |
Checks | Read & write | Surface pass/fail status checks for AI review completion |
Code | Read & write | Fetch the diff, surrounding context, and make changes when required |
Commit statuses | Read-only | Monitor and display commit status in the cubic UI |
Deployments | Read-only | Access deployment information for integration purposes |
Issues | Read & write | Create and manage issues when needed |
Metadata | Read-only | Display repository information inside the cubic UI |
Pull requests | Read & write | Post AI-generated review comments and resolve threads when feedback is addressed |
Workflows | Read & write | Integrate with and manage GitHub workflow runs |
Note: You can install the cubic App on a single repository or an entire organization. Access is scoped to the repositories you select during installation, and can be modified at any time from GitHub’s “Installed Apps” settings page.
At no point is your repository cloned to a long-lived server or stored in a database. If the review is cancelled or the PR is closed, the sandbox is destroyed right away.
cubic uses best-in-class large-language models hosted by vetted providers (currently OpenAI and Anthropic). Our agreements with these subprocessors explicitly prohibit using your data for model training. Only the minimal code snippets required for the requested analysis are transmitted, and all requests are sent over encrypted channels.
If your organization prefers to completely block AI features, please contact us and we can disable them for your workspace.
We record operational metadata only—for example, the duration of a review run or the size of the diff. Neither full source code nor pull-request diffs are written to our logs.
If you believe you have found a vulnerability in cubic, please email our security team at contact@cubic.dev with the subject line “Security Vulnerability”. We investigate all reports promptly and appreciate the efforts of the security community.
How cubic keeps your code and data safe
cubic is built by developers, for developers. We understand that your source code is your most valuable asset, so we designed our systems with security and privacy as a first-principle—not an afterthought.
cubic is committed to achieving SOC 2 Type II compliance to provide the highest level of security and trust for our customers. We are actively working towards this certification and have implemented many of the required controls internally (such as change management, access management, and vulnerability management). We will update this page and proactively notify customers as we progress through the formal audit process.
Granting the following scopes allows cubic to read pull-requests, leave review comments, and update PR status checks.
Scope | Access | Why we need it |
---|---|---|
Administration | Read-only | Access repository settings and organization information |
Actions | Read & write | Manage GitHub Actions workflows and runs |
Checks | Read & write | Surface pass/fail status checks for AI review completion |
Code | Read & write | Fetch the diff, surrounding context, and make changes when required |
Commit statuses | Read-only | Monitor and display commit status in the cubic UI |
Deployments | Read-only | Access deployment information for integration purposes |
Issues | Read & write | Create and manage issues when needed |
Metadata | Read-only | Display repository information inside the cubic UI |
Pull requests | Read & write | Post AI-generated review comments and resolve threads when feedback is addressed |
Workflows | Read & write | Integrate with and manage GitHub workflow runs |
Note: You can install the cubic App on a single repository or an entire organization. Access is scoped to the repositories you select during installation, and can be modified at any time from GitHub’s “Installed Apps” settings page.
At no point is your repository cloned to a long-lived server or stored in a database. If the review is cancelled or the PR is closed, the sandbox is destroyed right away.
cubic uses best-in-class large-language models hosted by vetted providers (currently OpenAI and Anthropic). Our agreements with these subprocessors explicitly prohibit using your data for model training. Only the minimal code snippets required for the requested analysis are transmitted, and all requests are sent over encrypted channels.
If your organization prefers to completely block AI features, please contact us and we can disable them for your workspace.
We record operational metadata only—for example, the duration of a review run or the size of the diff. Neither full source code nor pull-request diffs are written to our logs.
If you believe you have found a vulnerability in cubic, please email our security team at contact@cubic.dev with the subject line “Security Vulnerability”. We investigate all reports promptly and appreciate the efforts of the security community.