Acrity does not keep a durable copy of your code tree. Diff content is processed transiently and, for large changes, may be cached at rest for a limited period with automatic expiry (up to 24 hours). Note that suggested-fix snippets can appear in durable review records.
What Acrity processes
During a review, Acrity can process information needed to understand the change:| Category | Examples | Use |
|---|---|---|
| Repository metadata | provider, organization, repository, branch, pull request or merge request | identify the change and apply workspace policies |
| Change metadata | author, title, description, changed files, review status | run the review and present history |
| Change diffs | diff snippets needed during analysis | transiently assess the impact of the change |
| Settings | review tiers, language, branch rules, linked credentials | respect the policy defined by the workspace admin |
| Results | findings, severity, decision, suggestions, execution telemetry | show audit, reports, and history |
What Acrity does not do
Acrity does not clone and store a complete copy of the repository as product data. Acrity does not keep a durable copy of your code tree, publish customer code, expose credentials in API responses, or turn private repositories into public training material. Diff content is processed transiently. For large changes, it may be cached at rest for a limited period with automatic expiry (up to 24 hours). Suggested-fix snippets can appear in durable review records.Durable review records
Durable records prioritize audit and operational information:- which workspace and repository were reviewed;
- which pull request or merge request generated the analysis;
- review decision, severities, and findings;
- aggregated counts, times, and costs;
- suggested fixes and supporting evidence needed to explain the result, which can include code patches;
- publication state in external providers, when applicable.
Sensitive data
Credentials, OAuth tokens, connector tokens, and API keys follow separate controls:- credential and OAuth secrets are stored with strong encryption at rest;
- API keys are not stored in plaintext;
- one-time displayed tokens should be stored by the workspace admin in a secrets vault;
- Console and API responses show metadata, status, and last characters when needed, not the complete secret.
Best practices for customers
- Connect only repositories that should be reviewed by Acrity.
- Use dedicated credentials for Acrity, with the minimum sufficient permissions.
- Separate workspaces by environment, unit, or customer when administrative isolation is required.
- Periodically review credentials, API keys, webhooks, and workspace members.
- Use connectors for private VCS providers when company policy requires VCS tokens to remain in the customer’s environment.