Skip to main content

Swimm Web App - Security Overview

Swimm is a platform for Continuous Documentation, helping developers create, find, and maintain documentation. With Swimm, developers create code-coupled documentation that is saved on their own repository in Markdown format and is kept up-to-date when the code changes.

We've prepared some frequently asked questions regarding Swimm's security profile as well as information about Swimm's SOC2 compliance.

If you have any questions that do not appear here, or if you need clarification, please don’t hesitate to contact us at info@swimm.io

Why is Swimm asking me for GitHub OAuth?

Swimm is using it to connect with your GitHub repositories in order to fetch relevant documents and verify if code snippets are up to date. In addition, Swimm enables users to issue Pull Requests to update documentation. Swimm never makes changes to source code files other than documentation files (.sw.md).

Who can see my code?

Only you, and those who normally have access to it in GitHub, can see your code. Swimm never makes a copy of your code, but for some features, Swimm processes parts of your code in order to make recommendations and suggestions for documentation that should be updated.

How does Swimm store the GitHub token that I provide?

The GitHub token is not stored at any time on Swimm’s servers. The token is stored on the client-side browser (local storage) in a manner that is only accessible in the Swimm app. However, Swimm will use your tokens to create doc recommendations in our effort to help you push forward creating docs for your team.

Will any of our code or content be stored on Swimm’s servers?

None of your actual code or content is stored on Swimm's server. Swimm only stores meta-data such as document titles, timestamps, usage statistics etc.

Will Swimm ever make any changes to my code?

Swimm will create a folder in your repo to store the documents you create upon first login to the app (/.swm/). After that, when you create documents and store them, Swimm saves the relevant file in the folder created in your repo. Swimm will not make any modifications to your code besides these files and will not change any existing code files. Every operation to the code starts with an explicit intent from the user, and the change management is performed on your version control system.

Where are Swimm’s servers?

Google Cloud Platform (GCP).

Does Swimm encrypt my data?

All data transferred to and from Swimm’s server will be encrypted during transit. Any data or metadata stored on Swimm’s servers will be encrypted at rest.

Can Swimm affect code in production?

No, Swimm does not modify any code in your production environment.

Swimm CI Integration - Information Regarding GitHub App Authorization

Swimm helps users maintain up to date documentation with CI integration. This can be done manually [add link to relevant doc site page] or by using our GitHub App.

We've prepared some frequently asked questions about Swimm GitHub App’s security profile. Note that these refer only to users of the GitHub App and not to users of our web app that do not use the GitHub App. If you have any questions that do not appear here, or if you need clarification, please don’t hesitate to contact us at info@swimm.io

Which permissions does the GitHub App require and why?

Swimm uses read access to read your code and verify that the documents are in sync.

We use “PR comment creation” access to write a comment, identified with “Swimm” on the PR during verification.

When we discover documents that become out of sync due to code changes in a PR, we use write access to create a commit on the same PR with the required document changes in order to automatically sync your documents. Note that Swimm will never apply code or document changes to your repository without user consent.

We need check permissions (both read and write) to install the GitHub app in your repos and execute the app on demand. Once the app is installed, a user can select to enable/disable the app per repo and make the checks required or not-required per branch.

Does Swimm store the GitHub token that I provide?

No. Every time an action is triggered, GitHub sends the unique app installation identifier to Swimm’s server. We use this information to generate a unique token (one-off token). This token is never stored on our servers and is used for the duration of the action only.

Will any of our code or content travel to Swimm’s servers? Why?

Yes. During the action operation, the app reads the code to verify that the documentation is up to date. We remove the code immediately from our servers after the operation is completed. During this process, no one at Swimm has access to your code or to your content.

To emphasize - we never store your code on our servers.

Will any of our code or content ever be stored on Swimm’s servers?

No.

Will Swimm ever make any changes to my code?

The Swimm GitHub App will only modify documentation files inside a folder named .swm created for this use. This includes .sw.md files (Swimm Docs). Swimm will never add or make changes to any other parts of your code.

Where are Swimm’s servers?

Google Cloud Platform (GCP)

Does Swimm encrypt my data?

All data transferred to Swimm’s server will be encrypted during transit. We use only secure functions (HTTPS) to fetch the code from GitHub servers and communicate back the results.

Can the Swimm CI app affect code in production?

No, Swimm does not modify any code in your production environment.

Is Swimm SOC 2 compliant?

We are pleased to share that Swimm is SOC 2 compliant. Compliance with the SOC 2 standard is voluntary, but it has become increasingly important as companies select their service providers. For security-conscious businesses, SOC 2 compliance is now viewed as a minimal requirement when considering a SaaS provider, and it’s often a requirement in vendor contracts.

To request Swimm’s full SOC 2 Type II report as of December 2021, just send us an email at info@swimm.io