Security & Privacy
How Zapat handles your source code
Your code is never stored after a job. We access it only to complete the work you requested.
Updated March 3, 2026
Your source code is yours. Zapat accesses it only to perform the specific operations you have requested, and only during active job execution. Here is exactly what happens at each step.
During a job
- Code is cloned from your GitHub repository into an ephemeral container with temporary storage.
- Relevant files are read and sent to a frontier AI model for processing.
- The agent writes code changes, commits them, and pushes the branch to GitHub via the GitHub App.
- When the job completes, the container is destroyed and the temporary storage is wiped.
What Zapat stores
- Job metadata: issue number, PR number, trigger type, state, cost, token count, timestamps.
- Agent progress events: narrative progress messages (e.g., "Analyzing the issue") — NOT the actual code content.
- GitHub App installation tokens (short-lived, auto-rotated).
- No source code is persisted in Zapat's database or any other storage.
BYOC mode (coming soon)
When BYOC (Bring Your Own Compute) launches, code will be processed entirely within your own network. Source code would never be sent to Zapat's infrastructure — only job metadata (state transitions, cost, PR number) would be communicated back to Zapat's control plane. BYOC is on our roadmap for Enterprise customers.
Note
Even in managed compute mode, Zapat employees do not have access to your source code. Code is processed in isolated containers and never stored beyond the job lifecycle.
Secrets and credentials
- GitHub App private key is stored in an encrypted secrets vault (not in code or environment variables).
- AI API keys are injected at container runtime via the secrets vault — never exposed in logs.
- Webhook signature verification uses HMAC SHA-256 to ensure events genuinely came from GitHub.
- All API communication uses HTTPS/TLS.
Was this article helpful?