Data Handling

How Figorit stores and processes your code.

Your source code is intellectual property, and we treat it that way. Every layer of our stack is encrypted: AES-256 at rest via per-organisation AWS KMS keys, TLS 1.3 in transit, and ephemeral processing in isolated containers.

Encryption at Rest (AES-256)

Repository archives stored in Amazon S3 are encrypted using server-side encryption with per-organisation AWS KMS keys (SSE-KMS, AES-256). Each organisation is assigned a dedicated customer-managed key that is never shared across tenants. Database records in Supabase (vector embeddings, file summaries, metadata) and backups are encrypted at rest by our provider.

Encryption in Transit (TLS 1.3)

All communication between your browser and Figorit, between our services and GitHub, and between internal microservices uses TLS 1.3. API keys and secrets are stored as encrypted environment variables and never logged or exposed in plaintext.

What We Store and What We Don't

We store an encrypted archive of each connected repository in Amazon S3 under your organisation's dedicated KMS key. In our database we store vector embeddings, file-level summaries, and indexing metadata needed for search. We do not persist raw source code in the database. When you run a query, your encrypted archive is temporarily decrypted within an isolated container to perform file reads and search. The decrypted data exists only for the duration of the request and is automatically cleared when the container terminates.

Complete Data Destruction on Disconnect

When you remove a repository, its encrypted S3 archive is deleted within minutes and all associated embeddings, summaries, and metadata are purged from the database. When you fully disconnect by removing our GitHub App, we delete every S3 object for your organisation, disable the KMS key, and schedule it for permanent destruction (AWS-enforced 7-day minimum pending window).