SlashCommandSlashCommand

Trust Retention

Data Retention Approach

What SlashCommand retains, why it is retained, and the current state of formal policy documentation.

Overview

SlashCommand uses bounded repository signals and does not retain a persistent mirror of your repository.

Pull request metadata is always part of that analysis. In selected review and approval flows, GitHub diff content may also be handled and retained in operational records. A formal data retention policy is currently being documented. This page describes the current operational practice.

What we retain

Analysis data and bounded operational review records.

Analysis data

  • Pull request metadata — title, author, labels, status
  • File paths and diff statistics
  • GitHub diff content in selected review and approval flows
  • Commit SHAs and branch references
  • CI/CD check status
  • Dependency manifests (package.json, etc.)

Retained for the duration of the analysis session and to support product functionality. Formal deletion timelines are being documented.

Account & auth data

  • Account identifier and email address
  • GitHub App installation binding
  • Session credentials (short-lived)

Retained for the duration of an active account. Session credentials expire automatically and are not persisted.

What we do not retain

No persistent repository mirror is stored. Access tokens are not persisted.

  • A persistent mirror of your repository source code
  • Long-lived GitHub access tokens — tokens are minted per-request and expire automatically
  • Personal access tokens — SlashCommand does not use personal access tokens
  • Repository source code in logs

Current state of formalization

Operational today. Formal documentation in progress.

The retention practices described on this page reflect current operational behavior. A formal written data retention policy, with explicit category-by-category retention periods and deletion commitments, is in progress and not yet complete.

We do not publish retention periods we cannot currently support with formal documentation. This page will be updated as the policy is formalized.

Also in this series

Service SubprocessorsInfrastructure and service providers that process data on our behalf

Questions

Questions about data retention can be directed to our security and trust address.

For procurement, vendor review, or DPA-related questions, reach out directly. Additional details on current retention practices can be provided during evaluation.

Security & trust inquiries

security@slashcommand.dev

For vendor review, security questions, and trust inquiries.

← Back to Trust