Security

Your team's code data. Handled like it matters.

Engineering orgs that grant us access to their workflow data are making a trust decision. Here's the exact architecture behind how we handle that data — no marketing language, just what we actually do.

Request Access What we read

Controls

How we protect your data

Four layers that work together to keep your engineering workflow data safe and controlled.

Encryption at rest and in transit

All data is encrypted at rest using AES-256. Data in transit uses TLS 1.3. We use separate encryption keys per team, so a breach of one tenant's key does not expose another's data.

Read-only OAuth scopes

We request the minimum OAuth scopes required to read workflow metadata. No write access, no admin access, no access to private repository content. You can review exact scopes before authorizing.

Per-team data isolation

Each customer's data is isolated at the infrastructure level. We do not aggregate data across customers or use one team's signals to train models deployed against another team's data.

Full audit log

Every data read is logged with timestamp, source, and purpose. Your security team can request the full audit log at any time. Logs are retained for 90 days. You can revoke access at any time from your settings.

Questions engineering teams ask us

Straight answers — no marketing-speak.

Can Tunlai read our source code?

No. We request the minimum OAuth scopes required to read metadata signals — PR review comment text, file path patterns, ticket assignments. We do not request repository read access. For GitHub, we request the pull_requests:read and issues:read scopes only — explicitly not the repo scope that would allow reading file contents. You can verify this before authorizing: GitHub shows the exact scope list during OAuth. Source code content is never transmitted to our servers at any point.

Where is our data stored?

Data is stored in US-based cloud infrastructure. Enterprise customers can request data residency specifications as part of their contract. We do not store source code — only the extracted workflow metadata signals needed to build the competency graph.

How do we revoke access?

From your Tunlai settings, you can revoke any integration at any time. You can also revoke from the OAuth app settings in GitHub, GitLab, Jira, etc. — Tunlai respects immediate revocation. You can also request full deletion of your data by emailing [email protected].

Does Tunlai use our data to train models for other customers?

No. Your data is used exclusively to build your team's competency graph and learning paths. We do not aggregate data across customers or use one team's signals to influence another team's model. Each customer's data is isolated at the infrastructure level.

Have a specific security question we haven't answered?

Talk to the team