Skip to main content

Privacy & Security

Swimm's Security

info

We've prepared some frequently asked questions regarding Swimm's security profile, as well as information about Swimm's SOC 2 compliance.

Swimm's Privacy Policy

You can read the entire Privacy Policy here.


Code Access & Storage

TL;DR
  • Swimm does not modify any of your code
  • None of your actual code or content is stored on Swimm's servers
  • Your Git Provider token is not stored at any time on Swimm's servers
  • Swimm only changes a custom folder created for documentation ("/.swm")

Understanding Local Mode

For our Enterprise clients, a "Local Mode" is possible. In "Local Mode", no code ever leaves your network, not even for processing.

ModeSwimm might modify code?Code is stored on Swimm?Access token is stored on Swimm?Documents are stored on Swimm?Parts of the code may be processed by Swimm's servers?
Default ModeNeverNeverNeverNever (unless enabled by admin)Yes
Local ModeNeverNeverNeverNever (unless enabled by admin)Never

Questions and Answers

Who can see my code?
Only you, and those who normally have access to it in your Git provider, can see your code. Swimm never makes a copy of your code.

By default - Swimm processes parts of your code in order to make recommendations and suggestions for documentation that should be updated. In "Local Mode", all processing is done within your own network.

Does Swimm store the Git provider token that I provide?
No. The token is not stored at any time on Swimm's servers. The token is stored on the client-side browser (local storage) in a manner that is only accessible in the Swimm app.

By default, Swimm will use your tokens to create doc recommendations in our effort to help you push forward creating docs for your team. The token can be sent to Swimm’s cloud functions for this purpose, and the transaction is encrypted. Note, the token is not stored on Swimm’s database or in any other storage data, and is only used for the duration of the action. In "Local Mode", all processing is done within your own network.

Will any of our code or content be stored on Swimm's servers?
No. None of your actual code is stored on Swimm's server. By default, none of your content is stored on Swimm's servers either. Swimm only stores meta-data such as document titles, timestamps, usage statistics etc.

However, an admin of your workspace may enable sharing docs with users without code access for specific documents. In this case, a copy of the shared documents will be stored on Swimm's servers. Documents that have not been explicitly shared will not be stored on Swimm's servers.

Will Swimm ever make any changes to my code?
Absolutely not. Swimm will create a folder in your repo to store the documents you create upon first login to the app (/.swm/). After that, when you create documents and store them, Swimm saves the relevant file in the folder created in your repo. Swimm will not make any modifications to your code besides these files and will not change any existing code files. Every operation to the code starts with an explicit intent from the user, and the change management is performed on your version control system.

Can Swimm affect code in production?
No. Swimm does not modify any code in your production environment.

Does Swimm encrypt my data?
All data transferred to and from Swimm’s server will be encrypted during transit. Any data or metadata stored on Swimm’s servers will be encrypted at rest.


Sharing documents with users without code access

TL;DR
  • An admin may enable sharing specific documents with users without code access.
  • In this case, a copy of the shared documents will be stored on Swimm's servers.
  • Documents that have not been explicitly shared will not be stored on Swimm's servers.

An admin of your workspace may enable sharing docs with users without code access for specific documents. In this case, a copy of the shared documents will be stored on Swimm's servers. Documents that have not been explicitly shared will not be stored on Swimm's servers.

Learn more here.


Swimm CI Integration

TL;DR
  • Swimm uses read permissions to verify that docs are in sync
  • Swimm will never apply code or document changes to your repository without user consent

Can the Swimm CI app affect code in production?
No. Swimm does not modify any code in your production environment.

Compliance

We are pleased to share that Swimm is SOC 2 and ISO 27001 compliant.
Compliance with the SOC 2 standard is voluntary, but it has become increasingly important as companies select their service providers. For security-conscious businesses, SOC 2 compliance is now viewed as a minimal requirement when considering a SaaS provider, and it’s often a requirement in vendor contracts. To request Swimm’s full SOC 2 Type II report as of January 2023, send us an email at info@swimm.io. To receive the full report, you will need to sign an NDA. We can send proof of SOC 2 and ISO 27001 certification without an NDA.

Information for specific Git Hosting Providers

GitHub OAuth

Why is Swimm asking me for GitHub OAuth?
Swimm is using it to connect with your GitHub repositories in order to fetch relevant documents and verify if code snippets are up to date. In addition, Swimm enables users to issue Pull Requests to update documentation.

GitHub authoring policy doesn't allow write permissions per directory, so Swimm needs organizational, read & write permissions to the designated documentation folder in your repository (a "./swm" folder we create in order to store the documents).

GitHub App

See this entry.