SlashCommandSlashCommand

Trust Retention

Data Retention Approach

What SlashCommand retains, why it is retained, and the current state of formal policy documentation.

Overview

SlashCommand's analysis is metadata-based. Source code is not stored.

Only the metadata necessary to evaluate pull requests is processed. A formal data retention policy is currently being documented. This page describes the current operational practice.

What we retain

Analysis data — metadata only.

Analysis data

  • Pull request metadata — title, author, labels, status
  • File paths and diff statistics
  • Commit SHAs and branch references
  • CI/CD check status
  • Dependency manifests (package.json, etc.)

Retained for the duration of the analysis session and to support product functionality. Formal deletion timelines are being documented.

Account & auth data

  • Account identifier and email address
  • GitHub App installation binding
  • Session credentials (short-lived)

Retained for the duration of an active account. Session credentials expire automatically and are not persisted.

What we do not retain

Source code is not stored. Access tokens are not persisted.

  • Source code or file contents — analysis is metadata-only
  • Long-lived GitHub access tokens — tokens are minted per-request and expire automatically
  • Personal access tokens — SlashCommand does not use personal access tokens
  • Source code in logs or storage at any stage of processing

Current state of formalization

Operational today. Formal documentation in progress.

The retention practices described on this page reflect current operational behavior. A formal written data retention policy, with explicit category-by-category retention periods and deletion commitments, is in progress and not yet complete.

We do not publish retention periods we cannot currently support with formal documentation. This page will be updated as the policy is formalized.

Also in this series

Service SubprocessorsInfrastructure and service providers that process data on our behalf

Questions

Questions about data retention can be directed to our security and trust address.

For procurement, vendor review, or DPA-related questions, reach out directly. Additional details on current retention practices can be provided during evaluation.

Security & trust inquiries

security@slashcommand.dev

For vendor review, security questions, and trust inquiries.

← Back to Trust