We work close to sensitive parts of your stack.

Here is what we touch, where it lives, who else is in the loop, and how to reach us when something is wrong. No marketing language.

plain answers

What CI Guard reads

Repository contents (workflows, Terraform) and PR diffs. That is all. No live AWS API calls. CI Guard does not assume AWS roles or require AWS credentials.

What CI Guard is not

Not an IAM platform, not an SSO/SCIM/access-review tool, not a cloud posture product. CI Guard guards one path: how GitHub Actions authenticates to AWS.

Where we run

Single managed deployment on Render, US-East. Backups, retention, and on-call documented internally.

Sub-processors

Render, Stripe, GitHub, Postmark. We list them publicly and update 30 days before changes.

Audit

SOC 2 Type I in progress, scoped to CI Guard. We do not claim SOC 2 completion until a signed report exists.

Disclosure

[email protected]. We respond within one working day, fix, and credit.

Data minimization

We do not resell, train on, or warehouse customer code beyond what is needed to compute findings.

everyone in
the loop

Sub-processors

Who else touches the data.

Vendor Purpose Region

Render Application hosting US-East

Stripe Billing & payments US

GitHub Source of repository data Customer choice

Postmark Transactional email US

changes posted 30 days in advance · last update 2026-04-15

found something?

Responsible disclosure

[email protected]

One working day to first response. We fix, then credit. PGP key on request.

Email security →