Skip to main content

Privacy & Security

Swimm's Security​

info

We've prepared some frequently asked questions regarding Swimm's security profile, installing Swimm's GitHub App, as well as information about Swimm's SOC 2 compliance.

Swimm's Privacy Policy​

You can read the entire Privacy Policy here.

GitHub OAuth​

Why is Swimm asking me for GitHub OAuth?
Swimm is using it to connect with your GitHub repositories in order to fetch relevant documents and verify if code snippets are up to date. In addition, Swimm enables users to issue Pull Requests to update documentation.

GitHub authoring policy doesn't allow write permissions per directory, so Swimm needs organizational, read & write permissions to the designated documentation folder in your repository (a "./swm" folder we create in order to store the documents).

Code Access & Storage​

TL;DR
  • Swimm does not modify any of your code
  • None of your actual code or content is stored on Swimm's servers
  • Your GitHub token is not stored at any time on Swimm's servers
  • Swimm only changes a custom folder created for documentation ("/.swm")

Who can see my code?
Only you, and those who normally have access to it in GitHub, can see your code. Swimm never makes a copy of your code, but for some features, Swimm processes parts of your code in order to make recommendations and suggestions for documentation that should be updated.

How does Swimm store the GitHub token that I provide?
No. The GitHub token is not stored at any time on Swimm's servers. The token is stored on the client-side browser (local storage) in a manner that is only accessible in the Swimm app. However, Swimm will use your tokens to create doc recommendations in our effort to help you push forward creating docs for your team. The token can be sent to Swimm’s cloud functions for this purpose, and the transaction is encrypted. Note, the token is not stored on Swimm’s database or in any other storage data, and is only used for the duration of the action.

Will any of our code or content be stored on Swimm's servers?
No. None of your actual code is stored on Swimm's server. By default, none of your content is stored on Swimm's servers either. Swimm only stores meta-data such as document titles, timestamps, usage statistics etc.

However, an admin of your workspace may enable sharing docs with users without code access for specific documents. In this case, a copy of the shared documents will be stored on Swimm's servers. Documents that have not been explicitly shared will not be stored on Swimm's servers.

Will Swimm ever make any changes to my code?
Absolutely not. Swimm will create a folder in your repo to store the documents you create upon first login to the app (/.swm/). After that, when you create documents and store them, Swimm saves the relevant file in the folder created in your repo. Swimm will not make any modifications to your code besides these files and will not change any existing code files. Every operation to the code starts with an explicit intent from the user, and the change management is performed on your version control system.

Can Swimm affect code in production?
No. Swimm does not modify any code in your production environment.

Does Swimm encrypt my data?
All data transferred to and from Swimm’s server will be encrypted during transit. Any data or metadata stored on Swimm’s servers will be encrypted at rest.

Sharing documents with users without code access​

TL;DR
  • An admin may enable sharing specific documents with users without code access.
  • In this case, a copy of the shared documents will be stored on Swimm's servers.
  • Documents that have not been explicitly shared will not be stored on Swimm's servers.

An admin of your workspace may enable sharing docs with users without code access for specific documents. In this case, a copy of the shared documents will be stored on Swimm's servers. Documents that have not been explicitly shared will not be stored on Swimm's servers.

Learn more here.

Swimm CI Integration​

TL;DR
  • Swimm uses read permissions to verify that docs are in sync
  • Swimm will never apply code or document changes to your repository without user consent

Which permissions does the GitHub App require and why?
Swimm uses read access to read your code and verify that the documents are in sync.

  • We use “PR comment creation” access to write a comment, identified with “Swimm” on the PR during verification.
  • When we discover documents that become out of sync due to code changes in a PR, we use write access to create a commit on the same PR with the required document changes in order to automatically sync your documents.
  • We need check permissions (both read and write) to install the GitHub App in your repos and execute the app on demand.
  • Once the app is installed, a user can select to enable/disable the app per repo and make the checks required or not-required per branch.
To emphasize

Swimm will never apply code or document changes to your repository without user consent.

Does Swimm store the GitHub token that I provide?
No. Every time an action is triggered, GitHub sends the unique app installation identifier to Swimm’s server. We use this information to generate a unique token (one-off token). This token is never stored on our servers and is used for the duration of the action only.

Will any of our code travel to Swimm's servers?
No. During the action operation, the app reads the code to verify that the documentation is up to date. We remove the code immediately from our servers after the operation is completed. During this process, no one at Swimm has access to your code or to your content.

To emphasize

We never store your code on our servers.

Can the Swimm CI app affect code in production?
No. Swimm does not modify any code in your production environment.

Compliance​

We are pleased to share that Swimm is SOC 2 and ISO 27001 compliant.
Compliance with the SOC 2 standard is voluntary, but it has become increasingly important as companies select their service providers. For security-conscious businesses, SOC 2 compliance is now viewed as a minimal requirement when considering a SaaS provider, and it’s often a requirement in vendor contracts. To request Swimm’s full SOC 2 Type II report as of December 2021, send us an email at info@swimm.io. To receive the full report, you will need to sign an NDA. We can send proof of SOC 2 and ISO 27001 certification without an NDA.