Privacy & security
How cubic keeps your code and data safe
cubic is built by developers, for developers. We understand that your source code is your most valuable asset, so we designed our systems with security and privacy as a first-principle—not an afterthought.
Our guiding principles
- Short-lived processing – We never permanently store your repository’s source code. Your code is fetched into an isolated, short-lived sandbox only while an AI review is running and is irreversibly deleted as soon as the job completes.
- Encryption everywhere – All data is encrypted in transit (TLS 1.2+) and at rest (AES-256), including database records and object storage.
- Least-privilege access – The cubic GitHub App requests the minimum scope required to perform reviews. No additional write-or-admin permissions are granted unless they are strictly necessary (see below).
- Transparent operations – We publish this page so that every customer—current or prospective—can understand exactly how we treat their data. If you have questions, email us any time at contact@cubic.dev. Our data handling practices are further detailed in our Privacy Policy and use of the service is governed by our Terms of Service.
- No AI model training on customer data – Our AI model providers (e.g., OpenAI, Anthropic) contractually commit that code snippets and metadata passed through their APIs are not used to train or improve their underlying models.
SOC 2 status
cubic is committed to achieving SOC 2 Type II compliance to provide the highest level of security and trust for our customers. We are actively working towards this certification and have implemented many of the required controls internally (such as change management, access management, and vulnerability management). We will update this page and proactively notify customers as we progress through the formal audit process.
Permissions requested by the cubic GitHub App
Granting the following scopes allows cubic to read pull-requests, leave review comments, and update PR status checks.
| Scope | Access | Why we need it |
|---|---|---|
| Administration | Read-only | Access repository settings and organization information |
| Actions | Read & write | Manage GitHub Actions workflows and runs |
| Checks | Read & write | Surface pass/fail status checks for AI review completion |
| Code | Read & write | Fetch the diff, surrounding context, and make changes when required |
| Commit statuses | Read-only | Monitor and display commit status in the cubic UI |
| Deployments | Read-only | Access deployment information for integration purposes |
| Issues | Read & write | Create and manage issues when needed |
| Metadata | Read-only | Display repository information inside the cubic UI |
| Pull requests | Read & write | Post AI-generated review comments and resolve threads when feedback is addressed |
| Workflows | Read & write | Integrate with and manage GitHub workflow runs |
Note: You can install the cubic App on a single repository or an entire organization. Access is scoped to the repositories you select during installation, and can be modified at any time from GitHub’s “Installed Apps” settings page.
How AI code review works
- Event trigger – Whenever a pull request is opened or updated, GitHub sends cubic a webhook describing the event.
- Ephemeral sandbox – A new isolated container is launched. The sandbox has no network egress.
- Analysis – The pull-request diff and only the necessary context needed for reviewing the PR are processed by AI models.
- Comment publication – The generated review comments are posted back to the PR via the GitHub API.
- Secure teardown – The sandbox (filesystem, memory, logs) is destroyed immediately after the review finishes.
At no point is your repository cloned to a long-lived server or stored in a database. If the review is cancelled or the PR is closed, the sandbox is destroyed right away.
AI subprocessors
cubic uses best-in-class large-language models hosted by vetted providers (currently OpenAI and Anthropic). Our agreements with these subprocessors explicitly prohibit using your data for model training. Only the minimal code snippets required for the requested analysis are transmitted, and all requests are sent over encrypted channels.
If your organization prefers to completely block AI features, please contact us and we can disable them for your workspace.
Logging & metadata
We record operational metadata only—for example, the duration of a review run or the size of the diff. Neither full source code nor pull-request diffs are written to our logs.
Reporting a security issue
If you believe you have found a vulnerability in cubic, please email our security team at contact@cubic.dev with the subject line “Security Vulnerability”. We investigate all reports promptly and appreciate the efforts of the security community.