Security & Trust Overview

Warclick analyzes GitHub activity metadata to provide engineering analytics. We intentionally limit our data collection to the minimum required for our service. Our data collection client is explicitly read-only—GraphQL mutations are programmatically blocked and will raise runtime errors if attempted.

Every organization's data is strictly isolated at the database level. There is no possibility of cross-organization data leakage.

• Database-level isolation. Every data table includes a company_id foreign key constraint. Unique indexes combine (company_id, resource_id) to prevent cross-organization data collisions at the schema level.

• Query-level enforcement. All database queries include explicit WHERE company_id = ? clauses. There are no global queries that span multiple organizations.

• API access validation. Every API endpoint calls ensure_company_access() to validate organization membership before returning data. Failed access attempts are logged for security auditing.

• No shared data. Your organization's metrics, developer profiles, and activity data are never visible to other organizations.

Warclick uses GitHub OAuth for authentication, leveraging GitHub's security infrastructure rather than managing passwords directly.

• GitHub OAuth 2.0. Users authenticate through GitHub's secure OAuth flow. We never see or store GitHub passwords.

• GitHub App integration. Data collection uses a GitHub App with read-only permissions only. All permissions are read-only: repository metadata, pull requests, issues, commit statuses, and organization membership. No write access is requested or granted.

• Minimal OAuth scopes. User authentication requests only three OAuth scopes: read:user, user:email, and read:org. No repository content or admin scopes are requested.

• Role-based access. All authenticated users within an organization can view activity analytics. Administrative functions (repository tier settings, scoring configuration, user permissions, billing) are restricted to organization admins only.

• JWT session tokens. Access tokens expire after 45 minutes by default. Tokens are stored in secure HttpOnly cookies and support revocation via session tracking.

All Warclick infrastructure runs on Amazon Web Services (AWS) within the United States.

• AWS us-east-2 (Ohio) exclusively. All compute, database, and storage resources are located in the AWS Ohio region. The region is hardcoded in our deployment configuration—there is no multi-region setup and no data replication outside us-east-2.

• Encryption at rest. All database storage uses AWS-managed encryption (AES-256) via Aurora's built-in encryption.

• Encryption in transit. All API traffic uses TLS 1.2+ encryption. Database connections use PostgreSQL native SSL/TLS.

• Managed services. We use AWS Aurora PostgreSQL, AWS Lambda, and SQS—all managed services that inherit AWS's SOC 2 Type II, ISO 27001, and other compliance certifications.

All payment processing is handled by Stripe, a PCI DSS Level 1 certified payment processor.

• Stripe-managed payments. Credit card numbers and payment details are sent directly to Stripe via Stripe Checkout. Warclick servers never see or store payment card information—not even temporarily.

• PCI DSS compliance. Stripe maintains PCI DSS Level 1 certification, the highest level of compliance. All sensitive payment data is handled entirely on their certified infrastructure.

• Webhook signature verification. All Stripe webhook events are cryptographically verified using Stripe's signature validation before processing, preventing spoofed payment events.

• Subscription metadata only. We store only Stripe customer ID, subscription ID, plan type, and billing status. No card numbers, expiry dates, or CVV codes are ever stored.

• Active accounts. Data is retained for the duration of your subscription plus a reasonable period for service continuity.

• Post-cancellation. After subscription cancellation or GitHub App uninstallation, customer data is retained for up to 120 days for billing reconciliation and to allow for service reactivation. After this period, data will be permanently deleted.

• On-demand deletion. Organization administrators can request immediate deletion of their organization's data at any time.

In the event of a security incident affecting customer data, Warclick will notify affected organizations within 72 hours of confirmed breach discovery.

• Notification timeline. Affected customers will be notified within 72 hours via email to the organization administrator on file.

• Incident details. Notifications will include the nature of the incident, data potentially affected, and remediation steps taken.

• Continuous monitoring. We monitor for unauthorized access attempts and anomalous activity patterns.

For security-related questions, to report a vulnerability, or to request additional documentation for your security review, please contact:

wlparker+security at gmail.com