Security & data handling
The short version
- Your source code is never persisted — each scan makes a temporary, isolated clone, analyses it, stores the report and metrics, and deletes the working copy.
- No third-party AI ever sees your code — the LLM steps run on a model we host on our own hardware. Nothing is sent to OpenAI, Anthropic, Google or any other AI provider.
- Everything runs on hardware we own, located in Denmark (EU) — no cloud compute, no cloud storage, no CDN in the serving path.
- We do not train on your code — neither our own models nor anyone else's.
- Access mirrors GitHub — lose access on GitHub and you lose access to the reports here; memberships are re-synchronised daily.
1. Neutrality — the measurer never sits at the table
Canine Development is never a delivering party on code it measures, and takes no success fees from suppliers. The rubric is identical regardless of which party pays — same dimensions, same thresholds, same scoring logic; the report doesn't know who holds the subscription. Both contracting parties being customers is the intended mode — one source of truth for both sides.
Paid support covers operating Watchdog — installation, CI integration, report interpretation — never engineering on codebases Watchdog measures. We sell the thermometer, never the patient's treatment.
2. What we access
The Watchdog GitHub App requests read-only Contents and Metadata by default — no actions, no webhook payloads with code, and we never modify your source. There is one optional write, off until you enable it: the audit-marker issue (requires issues:write), which maintains a single GitHub issue tracking open findings.
Sign-in is via GitHub through our self-hosted identity provider (Keycloak); we receive your GitHub login, display name and email.
Public GitLab projects can be added by URL (anonymous read-only clone; no token, no install). For code hosted elsewhere, a ZIP upload per scan is available — we extract, analyse, delete; the archive is not retained.
3. Scan lifecycle
- Clone — a temporary, isolated working copy.
- Analyse — including the self-hosted model; your code never leaves our infrastructure.
- Store results — the report bundle (HTML/Markdown/PDF), findings, scores, numeric metric points for trend graphs, and run metadata (timing, commit SHA, status) — not your source.
- Delete — the clone (or uploaded archive) is removed when the scan finishes, including on failure.
Reports may quote small code excerpts. Public reports pass through an additional sanitiser that strips account names and security-sensitive specifics.
4. Where data lives
All processing and storage happens on servers owned and operated by Canine Development, located in Denmark. There is no cloud provider in the data path — the analysis hosts, the database, report storage, the identity provider and the LLM are all self-hosted. Your data stays in the EU.
5. Who has access
- You and your team. Reports are visible to the repository's members; membership mirrors GitHub and is re-synchronised daily — revoked on GitHub means revoked here within a day.
- Public reports exist only for public repositories that are published: open-source repos on the free plan publish automatically — that is the pricing-page bargain; paid cohorts publish only by explicit opt-in.
- Least-privilege operations. Production access is restricted to named Canine Development operations personnel and logged. No contractors or third parties.
6. Transport & perimeter
All public traffic is TLS-terminated at our own edge. Internal services are not internet-exposed — application and database listen on internal interfaces behind a host firewall. Sign-in is OIDC via self-hosted Keycloak brokering GitHub (no local passwords). Self-hosted scan ingestion (for self-hosted deployments) is token-authenticated per repository.
7. Subprocessors — the whole list
| Subprocessor | Purpose | Data | Location |
| GitHub, Inc. | Source hosting & sign-in identity | Repository contents (read-only), account identity | USA (your existing GitHub relationship) |
| Stripe, Inc. (activates with billing) | Payment processing | Billing details — card data never touches our servers | USA/EU |
That is the whole list. No analytics SaaS, no error-tracking SaaS, no CDN, no cloud AI. Identity (Keycloak), the engine, the LLM, the database and report storage are all self-hosted. We will update this page and email account owners before adding any subprocessor.
8. Data protection & the DPA
Source code may incidentally contain personal data; account data is processed to operate the service. Our standard Data Processing Agreement incorporates the subprocessor list; contact us for a countersigned copy.
Right to erasure is self-service — close your account from your settings: a 14-day reversible grace period, then permanent deletion erasing personal data and login and purging your reports. See DPA §4.
9. Compliance roadmap — the honest version
Watchdog does not hold a SOC 2 attestation today, and we won't pretend otherwise. What we provide instead: this page as a factual control statement, the subprocessor list, a signable DPA, and EU-only processing on hardware we operate ourselves. A formal attestation (SOC 2 Type I or ISO 27001) is on the roadmap. Self-hosted deployments sidestep the question entirely — your code never leaves your network.
10. Responsible disclosure
Report security issues to /contact?topic=security with reproduction steps. We acknowledge within 48 hours, keep you informed, and credit you if you want it. Please give us reasonable time to fix before publishing, and don't access other customers' data.
11. Imprint
Canine Development — a registered company in Denmark. CVR: 42092134. Contact via the contact form. Responsible: the operator of watchdog.canine.dev.