Security & Data Handling
Last updated: 17 June 2026
Angada connects to your GitHub organization and your Slack workspace to turn pull-request activity into clean, in-place notifications. That access is something we take seriously. This page explains, in plain language, exactly what Angada can see, what it stores, how it's protected, and how to remove it.
Two principles up front:
- Read-only. Angada never writes to your repositories, never pushes code, and never posts anything in Slack except the notifications it creates.
- We don't read your source code or your Slack conversations. Angada works with pull-request metadata and the messages it posts. It does not read your file contents, commit diffs, or the messages your team writes — see the note on GitHub permissions below.
What Angada accesses
GitHub (read-only)
Angada installs as a GitHub App on the organization or repositories you choose, with read-only access. It reads and processes only:
- Pull request metadata — title, author, branch, status, requested reviewers, review states, draft/merge-conflict state.
- Check / CI status — pass/fail of the checks on a PR.
- Repository metadata — name and the list of repos you selected.
- Organization teams & members — to map team membership for the daily digest.
About repository-contents access. GitHub's permission model currently grants Angada's app read access to repository contents alongside pull-request access. Angada's software does not use it: it reads only pull-request metadata, and never opens, stores, or transmits your file contents or commit diffs. You can review the exact permissions on the app's GitHub page, and change or remove which repositories Angada sees at any time.
Slack
Angada installs as a Slack app with a narrow set of permissions. It can:
- Post and update the messages it creates (the per-PR message and the daily digest).
- List the channels you choose so you can route notifications.
- Look up a user by email to map a GitHub user to the right Slack person for @mentions (Identity Link).
Angada cannot read your Slack messages. It has no permission to view your team's conversations.
What Angada stores
To deliver living messages and daily reports, Angada stores the minimum needed:
| Stored | Not stored |
|---|---|
| Your Slack workspace ID and encrypted bot token | ❌ Your source code, file contents, or commit diffs |
| Your GitHub installation ID and selected repositories | ❌ Your Slack message content |
| PR metadata: number, title, author, repo, status, CI status, requested reviewers, review state, and reviewer comment summaries | ❌ Passwords (we use magic-link sign-in) |
| Channel routing, team, and schedule settings | ❌ Payment card details (handled by our payment provider) |
| Identity links (GitHub login → Slack user ID) | |
| The raw GitHub event payloads we receive (PR metadata), used to process events and avoid duplicate messages | |
| Your account email (for sign-in) |
How your data is protected
- Encryption in transit. All traffic to and from Angada uses TLS/HTTPS.
- Encrypted tokens at rest. Slack bot tokens are encrypted in our database using AES-256-GCM, not stored in plaintext.
- Per-workspace isolation. Every tenant's data is separated at the database level by PostgreSQL Row-Level Security, scoped to your workspace — so one customer's data is never reachable from another's.
- Verified webhooks. Every incoming GitHub webhook is checked with an HMAC signature before it's processed, so forged events are rejected.
- Passwordless sign-in. Authentication is via magic link to your email — there are no passwords for us to store or for attackers to steal.
Where Angada runs (subprocessors)
Angada is built on established infrastructure providers. Customer data is hosted in the EU. We share only the data each provider needs to do its job:
| Provider | Purpose | Region |
|---|---|---|
| Supabase | Database & authentication | EU |
| Railway | Application backend & scheduled reports | EU |
| Vercel | Website & dashboard hosting | EU / global edge |
| PostHog | Privacy-friendly product analytics | EU |
| Slack | Delivering notifications | Your connected workspace |
| GitHub | Pull-request events | Your connected org |
| Lemon Squeezy | Payment processing & billing (Merchant of Record) — planned, not yet active | US |
Removing Angada & deleting your data
Turning Angada off and deleting your data are two separate steps, and you control both:
- Stop data collection. Disconnect Slack or GitHub from the dashboard, or uninstall the app directly in Slack or GitHub. This immediately stops Angada from fetching any further pull-request activity.
- Disconnecting stops collection — it doesn't, by itself, erase data already stored. Because Angada never stores your source code or your personal Slack messages, only a small amount of metadata (workspace, PR metadata, and your settings) is ever held in the first place.
- Delete your data on request. Email hello@angada.ai and we'll remove the data we hold for you.
- Self-serve account deletion is on the way. A "Delete my account" option that erases your data in one step is in our pipeline.
Compliance status — where we honestly stand
We believe in being straight about this rather than implying certifications we don't hold:
- Angada is not SOC 2 certified yet. A formal SOC 2 audit is on our roadmap.
- SSO/SAML and a signed DPA are on the roadmap, not available today.
- What we do today: read-only access, encrypted tokens, per-workspace isolation, verified webhooks, and full deletion on uninstall — the fundamentals above.
If your organization needs SOC 2, a DPA, or SSO before adopting Angada, tell us — it helps us prioritize, and we'll let you know where things stand.
Reporting a vulnerability
Found a security issue? Please email hello@angada.ai with the details. We'll acknowledge your report and work with you on a fix. Please don't publicly disclose an issue before we've had a chance to address it.
Questions
Security or data questions before you install? Email hello@angada.ai — happy to help.