Security & data handling
The short version
- Your source code is never persisted. Each scan makes a temporary, isolated clone, analyses it, stores the resulting report and metrics, and deletes the working copy.
- No third-party AI ever sees your code. The language-model steps of the analysis run on a model we host on our own hardware. Nothing is sent to OpenAI, Anthropic, Google or any other AI provider.
- Everything runs on hardware we own, located in Denmark (EU). No cloud compute, no cloud storage, no CDN in the serving path.
- We do not train on your code — neither our own models nor anyone else's.
- Access mirrors GitHub. If you lose access to a repository on GitHub, you lose access to its reports here — memberships are re-synchronised daily.
1. Neutrality — the measurer never sits at the table
Watchdog measures code that one party delivers to another. For that measurement to mean anything, the measurer must have no stake in the result:
- Canine Development is never a delivering party on code it measures. We never develop or consult on a codebase we also score — never on both ends of one contract.
- No success fees from suppliers. Our revenue is the subscription, identical whether a delivery passes or fails.
- The rubric is identical regardless of which party pays. The same dimensions, the same thresholds, the same scoring logic — the report does not know who holds the subscription.
- Both contracting parties being customers is the intended mode. When the buyer and the supplier both read the same Watchdog report, they share one source of truth — that is the ideal case, and it is entirely distinct from Canine itself ever sitting on an end of the table, which never happens.
Paid support covers operating Watchdog — installation, CI integration, report interpretation — never engineering on codebases Watchdog measures. The boundary is the whole point: we sell the thermometer, never the patient's treatment.
2. What we access
Repository access goes through the Watchdog GitHub App, which by default requests read-only Contents and Metadata — no actions, no webhook payloads with code, and we never modify your source. There is exactly one optional write, off until you turn it on: the audit-marker issue. If you enable it per repository (and grant issues:write), Watchdog maintains a single GitHub issue that tracks the open findings — opened and closed automatically, refreshed in place, never touching your code. Sign-in uses GitHub via our own self-hosted identity provider (Keycloak); we receive your GitHub login, display name and email address.
Public projects on GitLab can be added by URL — an anonymous, read-only clone, the same lifecycle as a GitHub scan (no token or install required). For projects not on GitHub or GitLab, you can upload a ZIP per scan; it follows the same lifecycle as a clone: extract, analyse, delete — the archive itself is not retained after the scan completes.
3. The scan lifecycle
- Clone. A temporary, isolated working copy of your repository is created on our analysis host, used only for the duration of the scan.
- Analyse. The engine computes metrics, scores and findings. Where a step uses a language model, the model is self-hosted on our own machines — your code never leaves our infrastructure.
- Store the results. What we keep: the report bundle (HTML/Markdown/PDF, findings, scores), numeric metric points for trend graphs, and run metadata (timing, commit SHA, status). What we do not keep: your source.
- Delete. The clone (or uploaded archive) is removed when the scan finishes — also on failure.
Reports can quote small code excerpts where a finding needs them (a flagged line and its location). Public reports go through an additional sanitiser that strips account names and security-sensitive specifics.
4. Where data lives
All processing and storage happens on servers owned and operated by Canine Development, located in Denmark. There is no cloud provider in the data path: analysis hosts, database, report storage, the identity provider and the language model are all self-hosted. Data therefore stays in the EU.
5. Who has access
- You and your team. Repository reports are visible to the repository's members. Membership mirrors GitHub and is re-synchronised daily — revoked on GitHub means revoked here within a day.
- Public reports exist only for repositories that are public and published (open-source repos on the free plan publish automatically — that is the bargain stated on the pricing page; paid cohorts publish only by explicit opt-in).
- Least-privilege operations. Production access is restricted to named Canine Development operations personnel, under least-privilege and logged; no contractors or third parties have access.
6. Transport & perimeter
- All public traffic is TLS-terminated at our own edge; internal services are not exposed to the internet (the application and database listen on internal interfaces only, behind a host firewall).
- Authentication is OIDC via self-hosted Keycloak, brokering GitHub — there are no local passwords to leak.
- Self-hosted scan ingestion (Enterprise) is token-authenticated per repository.
7. Subprocessors
The complete list of third parties that process customer data on our behalf:
| Subprocessor | Purpose | Data | Location |
|---|---|---|---|
| GitHub, Inc. | Source hosting & sign-in identity (you brought us to your code — we read it where it already lives) | Repository contents (read-only), account identity | USA (your existing GitHub relationship) |
| Stripe, Inc. | Payment processing | Billing details — card data never touches our servers | USA/EU |
That is the whole list. No analytics SaaS, no error-tracking SaaS, no CDN, no cloud AI. Identity (Keycloak), the analysis engine, the language model, the database and report storage are all self-hosted on our own hardware. We will update this page and notify account owners by email before adding any subprocessor.
8. Data protection & the DPA
Source code processed during a scan may incidentally contain personal data; account data (GitHub identity, email) is processed to operate the service. For customers who need a signed data-processing agreement, our standard Data Processing Agreement incorporates the subprocessor list above — contact us for a countersigned copy.
Right to erasure is self-service. Close your account from Profile & settings → Close account: a 14-day reversible grace period, then a permanent delete that erases your personal data and login and purges your repositories' reports. What is retained, and on what legal basis, is set out in DPA §4.
9. Compliance roadmap — the honest version
Watchdog does not hold a SOC 2 attestation today, and we will not pretend otherwise. What we provide instead, now: this page as a factual control statement, the subprocessor list above, a signable DPA, and EU-only processing on hardware we operate ourselves. A formal attestation (SOC 2 Type I or ISO 27001) is on the roadmap; Enterprise self-hosted deployments sidestep the question entirely — your code never leaves your network.
10. Responsible disclosure
Found a vulnerability? Report it to us with steps to reproduce. We acknowledge within 48 hours, keep you informed, and credit you if you want. Please give us reasonable time to fix before publishing, and do not access other customers' data while testing.
11. Imprint
Canine Development — registered company, Denmark.
CVR: 42092134
Contact: contact form
Responsible for this service: the operator of watchdog.canine.dev.