DocsCanary processes raw diffs in memory and immediately purges them. We store only the semantic insight — never the code itself. You control exactly what we see.
Security is not a feature we bolted on. It is the foundation every line of DocsCanary is built upon.
Raw diffs are held in memory for seconds during analysis, then permanently purged. No disk writes, no caching, no traces. Our architecture makes it impossible for code to persist.
Choose from three granularity tiers: metadata only, diff only, or contextual diff. Upgrade or downgrade per repository, at any time, with a single toggle.
Every API call, every data access, every model invocation is logged with timestamp, actor, and IP address. You can export your full audit trail at any time.
Code enters, insight exits. Nothing else stays. Here is the exact lifecycle of every piece of data we process.
GitHub/GitLab sends a webhook when a PR is merged. We receive metadata only at this stage.
Diffs are fetched into volatile memory, analyzed by AI in seconds. Never written to disk.
Only the semantic result is persisted: which docs are affected, severity, and suggested edits.
All raw code data is permanently erased from memory. Zero residual. Cryptographically verified.
Every repository has its own access tier. Change it anytime. Downgrade with zero data retention from the previous level.
DocsCanary receives only PR titles, descriptions, commit messages, and file paths. Absolutely zero code access of any kind.
Best for: Teams with strict compliance requirements or repos containing highly sensitive IP.
Only the changed lines from each PR are analyzed. Processed in volatile memory in seconds, never written to disk. Ideal balance of accuracy and privacy.
Best for: Most teams. Gives DocsCanary enough signal to accurately detect documentation impact without exposing full file contents.
Changed lines plus a configurable window of surrounding context. Enables the highest-fidelity understanding of what changed and why.
Best for: Complex codebases where changes require surrounding context to understand impact on docs accurately.
Built on AWS with defense-in-depth security at every layer.
DocsCanary is built to satisfy the strictest enterprise security and privacy requirements.
Audit-ready controls
EU data residency options
Every action logged
Right to be forgotten
Our controls are designed to meet SOC 2 Type II requirements across all five trust service criteria: security, availability, processing integrity, confidentiality, and privacy. Annual third-party audits validate our compliance posture.
EU and EEA data residency options ensure your data never leaves your preferred region. We support Data Processing Agreements (DPAs), right to access, right to deletion, and data portability. Sub-processors are disclosed and contractually bound.
No. Raw diffs and code snippets are processed entirely in volatile memory (RAM). They are never written to disk, never cached, and never persisted in any database. Once analysis completes — typically within seconds — all code data is permanently purged from memory.
DocsCanary stores only the semantic insights derived from analysis: which documentation pages may be affected by a code change, the severity of the drift, and AI-generated edit suggestions. We also store metadata you have shared (PR titles, commit messages, etc.) and your configuration preferences.
Absolutely not. We use Anthropic Claude under a Data Processing Agreement that explicitly prohibits training on customer data. We also leverage Anthropic's zero-retention API options, meaning your data is not logged or retained by our AI provider either.
Yes. Every API call, data access event, and model invocation is logged with a timestamp, the acting user, and the originating IP address. You can export your complete audit trail at any time from your account settings, or request it from our team.
DocsCanary infrastructure runs on AWS with VPC isolation. By default, data is hosted in US regions. For GDPR compliance, we offer EU data residency options where all data processing and storage occurs within EU-based AWS regions.
We have implemented all controls required for SOC 2 Type II certification and are currently undergoing our formal audit. We are happy to share our controls matrix, security architecture documentation, and penetration test results under NDA. Contact security@docscanary.com to request access.
Yes. Under GDPR and our own data governance policies, you can request complete deletion of all your data at any time. This includes all stored insights, metadata, configuration, and audit logs. Deletion is processed within 30 days and is cryptographically verified.
We maintain a responsible disclosure program. Security researchers can report vulnerabilities to security@docscanary.com. We commit to acknowledging reports within 24 hours, providing an initial assessment within 72 hours, and resolving critical issues within 7 days.
Our security team is available to discuss your requirements, share documentation under NDA, or walk through our architecture in detail.
security@docscanary.com — PGP key available on request