Modu

Trust & Security

Privacy-first runtime for coding agents. Ephemeral compute, minimal scopes, and no code retention by default — with clear controls and auditability.

Ephemeral VMsNo Code RetentionMinimal OAuth ScopesTLS 1.2+SOC 2 Type II (in progress)

Data Processing & Integrations

What we need to operate — and what we intentionally avoid

GitHub / SCM
  • Read-only repo scopes unless you request write access for PRs.
  • Temporary code download into in-memory tokens; nothing persisted post-session.
  • PRs opened from isolated branches for safe review.
Slack
  • Listens for mentions and authorized threads only — no background indexing.
  • Inline policy enforcement/redaction on commands.
  • Workspace/channel-level admin controls.
Runtime
  • Isolated sandboxes with allow-listed egress.
  • Secrets injected as env vars per run; never written to disk.
  • VMs destroyed at the end of each session; caches wiped.

Privacy & Data

What we keep (and what we never store)

What We Store
  • Metadata: timestamps, agent identity, token counts, provider, PR status, and cost signals.
  • Audit trails: prompts & decisions needed for accountability (redactable by policy).
  • Anonymous analytics: de-identified and never linked to a user ID.
What We Don't Store
  • Your prompts (unless you explicitly opt-in)
  • Your code or model responses (unless you explicitly opt-in)
  • Any PII or long-lived tokens in persistent storage
  • No third-party code sharing: code is never transmitted outside your session or configured providers.
  • No background processing: no passive scanning, crawling, or indexing.

Controls & Guardrails

How we prevent risky changes before they reach your repo

Access & Auth
  • SSO/SAML, SCIM provisioning, and role-based permissions.
  • Per-repo & workspace policies; model/provider allow-lists.
PR Safety
  • Static checks for secrets/PII on diffs before PRs are created.
  • Sandboxed tests; block on failure; change-size and file-type limits.
Transport & Storage
  • TLS 1.2+ in transit; encrypted volumes where applicable.
  • No persistent code retention; ephemeral sandboxes only.

Benchmarks & Telemetry

Opt-in only; standardized, anonymized, and fair

Standardization
  • Rolling 90-day window; minimum activity thresholds.
  • Created PRs = non-draft PRs; drafts excluded from topline metrics.
  • CI/CD context: include PRs with ≥1 successful run; dedupe retriggers & bot forks.
Opt-In Privacy

Aggregate leaderboards are built from anonymized, opt-in telemetry. Your private telemetry never leaves your tenant unless you choose to share.