Skip to main content

Privacy & Security

Swimm's Securityโ€‹

info

We've prepared some frequently asked questions regarding Swimm's security profile, as well as information about Swimm's SOC 2 compliance.

Swimm's Privacy Policyโ€‹

You can read the entire Privacy Policy here.


Code Access & Storageโ€‹

TL;DR
  • Swimm does not modify any of your code
  • None of your actual code or content is stored on Swimm's servers
  • Your Git Provider token is not stored at any time on Swimm's servers
  • Swimm only changes a custom folder created for documentation ("/.swm")

Understanding Local Modeโ€‹

For our Enterprise clients, a "Local Mode" is possible. In "Local Mode", no code ever leaves your network, not even for processing.

ModeSwimm might modify code?Code is stored on Swimm?Access token is stored on Swimm?Documents are stored on Swimm?Parts of the code may be processed by Swimm's servers?
Default ModeNeverNeverNeverNever (unless enabled by admin)Yes
Local ModeNeverNeverNeverNever (unless enabled by admin)Never

Questions and Answersโ€‹

Who can see my code?โ€‹

Only you, and those who normally have access to it in your Git provider, can see your code. Swimm never makes a copy of your code.

By default - Swimm processes parts of your code in order to make recommendations and suggestions for documentation that should be updated. In "Local Mode", all processing is done within your own network.

Does Swimm store the Git provider token that I provide?โ€‹

No. The token is not stored at any time on Swimm's servers. The token is stored on the client-side browser (local storage) in a manner that is only accessible in the Swimm app.

By default, Swimm will use your tokens to create doc recommendations in our effort to help you push forward creating docs for your team. The token can be sent to Swimmโ€™s cloud functions for this purpose, and the transaction is encrypted. Note, the token is not stored on Swimmโ€™s database or in any other storage data, and is only used for the duration of the action. In "Local Mode", all processing is done within your own network.

Will any of our code or content be stored on Swimm's servers?โ€‹

No. None of your actual code is stored on Swimm's server. By default, none of your content is stored on Swimm's servers either. Swimm only stores meta-data such as document titles, timestamps, usage statistics etc.

However, an admin of your workspace may enable sharing docs with users without code access for specific documents. In this case, a copy of the shared documents will be stored on Swimm's servers. Documents that have not been explicitly shared will not be stored on Swimm's servers.

Will Swimm ever make any changes to my code?โ€‹

Absolutely not. Swimm will create a folder in your repo to store the documents you create upon first login to the app /.swm/. After that, when you create documents and store them, Swimm saves the relevant file in the folder created in your repo. Swimm will not make any modifications to your code besides these files and will not change any existing code files. Every operation to the code starts with an explicit intent from the user, and the change management is performed on your version control system.

Can Swimm affect code in production?
No. Swimm does not modify any code in your production environment.

Does Swimm encrypt my data?
All data transferred to and from Swimmโ€™s server will be encrypted during transit. Any data or metadata stored on Swimmโ€™s servers will be encrypted at rest.


Sharing documents with users without code accessโ€‹

TL;DR
  • An admin may enable sharing specific documents with users without code access.
  • In this case, a copy of the shared documents will be stored on Swimm's servers.
  • Documents that have not been explicitly shared will not be stored on Swimm's servers.

An admin of your workspace may enable sharing docs with users without code access for specific documents. In this case, a copy of the shared documents will be stored on Swimm's servers. Documents that have not been explicitly shared will not be stored on Swimm's servers.


Swimm CI Integrationโ€‹

TL;DR
  • Swimm uses read permissions to verify that docs are in sync
  • Swimm will never apply code or document changes to your repository without user consent

Can the Swimm CI app affect code in production?โ€‹

No. Swimm does not modify any code in your production environment.

Complianceโ€‹

We are pleased to share that Swimm is SOC 2 and ISO 27001 compliant.โ€‹

Compliance with the SOC 2 standard is voluntary, but it has become increasingly important as companies select their service providers. For security-conscious businesses, SOC 2 compliance is now viewed as a minimal requirement when considering a SaaS provider, and itโ€™s often a requirement in vendor contracts. To request Swimmโ€™s full SOC 2 Type II report as of January 2023, send us an email at info@swimm.io. To receive the full report, you will need to sign an NDA. We can send proof of SOC 2 and ISO 27001 certification without an NDA.

Information for specific Git Hosting Providersโ€‹

Git Hosting OAuthโ€‹

Why is Swimm asking me OAuth into GitHub, GitLab, Bitbucket and Azure?โ€‹

Swimm uses OAuth to connect with your remote repositories in order to fetch relevant documents and verify if code snippets are up-to-date. In addition, Swimm enables users to issue Pull Requests to update documentation.

Git Hosting providers' authoring policy don't solely allow write permissions per directory. As a result, Swimm needs organizational, read & write permissions to the designated documentation folder in your repository. We create a ./swm folder in order to store Swimm documents.

GitHub Appโ€‹

See this entry.

Azure OpenAI Integrationโ€‹

Swimm utilizes Azure OpenAI to provide AI-powered code knowledge assistance:

Data Handlingโ€‹

  • When using Generative AI, Swimm uses Azure OpenAI to process specific parts of documents for enhanced content generation, including code snippets. No other data is transmitted.
  • When using /ask Swimm, Azure OpenAI processes the user's query to provide relevant responses.
  • Swimm does not train its models on user data. /ask Swimm analyzes code locally and all chat sessions are stored on the user's local machine, not on Swimm's servers.
  • Data processed by Azure OpenAI is not stored and is used solely for real-time processing to generate responses, ensuring data privacy and security.

Azure OpenAI's Data Handling Practicesโ€‹

For detailed information on Azure OpenAI's data handling practices, please refer to their official documentation: Azure OpenAI Data Privacy.

Privacyโ€‹

  • Data processed by Azure OpenAI is not accessible to other customers or OpenAI. It is used exclusively to provide the requested assistance and is not stored or used to improve Azure OpenAI models.

Stateless Modelsโ€‹

  • Azure OpenAI models process data in a stateless manner, meaning they do not retain information about the processed data. Each session is independent, ensuring data privacy.

By integrating robust security measures and leveraging Azure OpenAI's advanced capabilities, Swimm ensures that your data remains secure while providing powerful, context-aware assistance to your development team.

Self-hosted Azure OpenAIโ€‹

Companies can opt to use their own network instance of Azure OpenAI for enhanced data privacy and security.

Reach out to your Swimm representative for more information to set up Swimm with your own Azure OpenAI instance.

Why Swimm uses Azure OpenAI instead of OpenAIโ€‹

Swimm uses Azure OpenAI over OpenAI due to its enhanced security, privacy, and compliance benefits. Azure OpenAI integrates with Microsoft's enterprise-grade infrastructure, providing robust data governance and compliance with standards like SOC 2 and ISO 27001.

Additionally, data processed by Azure OpenAI remains within the organizationโ€™s control, Microsoft's infrastructure, and is encrypted both in transit and at rest, ensuring stringent data privacy controls.