Security and Compliance

Q: What are the terms of servive

When you sign up, you must agree to our legal terms and terms of service which cover many aspects ranging NDAs and other warranties for the protection of your copyrights, patents, or trade secrets, as well as payment terms and more. Any information in this documentation is superseded by them.

Our terms of service can be found at https://gitstart.com/terms.

Q: What is GitSlice?

GitSlice is a tool to create a separate copy of your repository controlled by you. You do not have to share the whole repository with us to use GitStart. GitSlice allows you to specify glob patterns of what to include or ignore in GitSlice. This ensures you have full control of what you share with us.
GitStart developers work on a completely separate repository, named the sliced repository. GitSlice is the tool that pulls code from your repository, named the upstream repository, to the sliced repository. And to push branches from the sliced repository to the upstream repository to create pull requests.

Q: How do we keep your repositories and code secure?

We do not directly work with your repository, we only slice part of your repository based on your configuration.
Only the selected team of developers that are working with you are allowed to access your repository
All community developers went through background checks and signed non-disclosure agreement. Their devices also have full disk encryption.

Q: How do we manage your secrets and env variables?

You may share secrets and environment variables to allow us to build, run and test the code.
Build secrets are not shared with developers and only used when we were testing the build during onboarding and slice configuration.
Environment variables are shared with the developers that are working on the code base. For example, keys to access the staging/test environments that you are willing to share with us

Q: How does GitStart AI use your data?

GitStart uses LLMs to help with ticket creation and code generation, but we take data privacy very seriously:

We only create vector embeddings of your code and tickets to enable semantic search - we do not use your data to train our AI models.
These embeddings are strictly filtered by client, instance, and repository to ensure they cannot be accessed by anyone else.

Q: What kind of access does the GitStart GitHub App, Linear App and JIRA App need respectively?

GitStart GitHub App

Clone your repos, pull and push from them
Create Pull Requests, comment and review them, update their state from Open ↔ Draft
Receive webhook events about your repos, PRs and github issues so that we can keep our internal data synchronized
GitHub issues access is only needed if you want to assign us tickets through GitHub issues. It’s kept separate by requiring a separate GitStart Connector GitHub app to install

Linear App

Read and write on Issues and Issue comments
Webhook events about issues to help with synchronizing Linear Issues with GitStart Tickets

Jira Connect App

Initial Jira OAuth app is used only to gain Atlassian tenant id information - This requires read:jira-user permission
Once the tenant-id has been determined, and you install our Jira connect app from the marketplace, the connector itself only has Read-and-write access to Jira issues and issue comments, and to webhook events about those issues

Jira PAT token

You give us a JIRA personal access token, and your JIRA Admin have full control of what permissions that token, or the account tied to that token, has.
We will only use the token again for read-and-write access to Jira issues and comments. We also provide documentation on how you can setup webhooks manually using the Jira Admin settings, so that you control which webhook events we receive too.

Q: How does GitStart assist with our Due Diligence process?

We can provide SOC II reports, results of recent penetration tests, Data and Information Security policies, etc. You can view most of these in trust.gitstart.com .

Q: Who keeps the Code IP and ownership?

You keep the code IP and ownership

Q: How do we manage Developer access?

We group Developers into teams, and we assign these teams to your Instances
Only Developers who are in the team assigned to your instance can access the repos and code you share with us.

While we work on automating this process, you can also define and share with us a git-slice.json file that includes the necessary configuration. The template for such a file is included below.

Our developers will only be able to see the files and folders you specify in the folders array.

The configuration JSON file should follow the schema:

{
  "$schema": "<http://json-schema.org/draft-06/schema#>",
  "title": "Gitslice",
  "type": "object",
  "description": "The configuration options for Gitslice",
  "additionalProperties": false,
  "properties": {
    "repoUrl": {
      "type": "string",
      "description": "The link to your codebase repository",
      "format": "uri",
      "qt-uri-protocols": ["https"],
      "qt-uri-extensions": [".git"]
    },
    "folders": {
      "type": "array",
      "description": "An array of file and folder paths that you can securely share and our developers will work on",
      "items": {
        "type": "string"
      }
    },
    "branch": {
      "type": "string",
      "description": "The specific branch we should GitSlice from your repository"
    },
    "ignore": {
      "type": "array",
      "description": "An array of file and folder paths we should not slice. These are the files that you want to avoid sharing with us",
      "items": {
        "type": "string"
      }
    }
  },
  "required": ["repoUrl", "folders", "branch", "ignore"]
}

This is an example of what the GitSlice configuration JSON file might look like:

{
  "repoUrl": "https://github.com/{yourOrganization}/{yourRepo}.git",
  "folders": ["folder/test"],
  "branch": "dev",
  "ignore": ["CODEOWNERS"]
}