Skip to main content

Data Security

At FirstMate we deeply value data security. Therefore we designed our product in a way that data is always kept confidential, isolated by the organization, and used only to improve your organization's reviews. FirstMate will never use data collected during code reviews to train or influence the models.

Hosting

FirstMate services are hosted on Azure in the Germany West Central region. This means that your data will never leave Europe. Contact us if you would like to use our services in another region.

What data is kept in our system

Following data is stored in the FirstMate database:

  • Organisational and user data
  • Linked repositories calculated metadata (repo category)
  • Pull requests info (metadata, no code)
  • Statistics of actions performed by the platform

Your code is never stored on our systems. Your code is downloaded during the review process and temporarily stored in memory in a separate dedicated docker container for your organisation. After 30 minutes of inactivity, the container is destroyed together with the downloaded code. FirstMate will never use your code for any other purpose than the product services.

Large Language Models (LLMs)

Queries to the Large Language Models (LLMs) are ephemeral and there is zero retention on LLMs. Neither we nor the LLMs provider(s) share any data collected during the code review process with third parties. We use private Azure OpenAI instances in Europe (Sweden). In a self-hosted setup, you can link FirstMate to any models you want (OpenAI, AWS Bedrock) For a more technical in depth view of the data flow, take a look here.

Opting Out

You can choose to opt out of FirstMate at any time. Opting out will erase all data related to your organisation. It is up to you to remove the application from the git provider. Please notify us at info@firsmate.cloud

Authentication

The FistMate platform is authenticated through Auth0.

The authentication for the Git provider is always done through an application on the provider. This installation is user-friendly and secure. To improve security, FirstMate will rotate the secrets of these application at appropriate intervals. In the FirstMate console, you will find a detailed guide on how to install the FirstMate application on your specific provider (Gitlab, Bitbucket, Github or Azure DevOps)

Logging data

To avoid having sensitive data in our logs, we use FirstMate. We use the policy that logging should never contain business critical data on the INFO level in any of our micro-services. To complete the requirement, we also added a policy that logging in production should always be configured on INFO level. Take a look at our guideline implementation here.