Coming soon: Build Data + AI systems with evidence built in. Preview
Security at Mitari

Security at Mitari

Mitari is built with a security-first posture for teams verifying sensitive data, analytics, and ML code. We are currently pre-SOC 2 and designed to support enterprise security reviews.

Least-privilege access

Mitari only accesses the repositories and files needed to provide reviews, scans, and findings — limited to what your GitHub administrators authorize.

Customer-controlled retention

Request data deletion, set retention policies where supported, and opt out of AI training or secondary use beyond service delivery.

Enterprise review support

We support security reviews and can provide a DPA and CAIQ-style security responses on request.

What Mitari accesses

Mitari only accesses the repositories and files needed to provide the product: PR reviews, repository scans, Observability, API-based reviews, and related findings. GitHub App access is limited to repositories authorized by the customer's GitHub administrators.

Current GitHub App permissions are shown during installation. Mitari requests only the access required to operate the reviews, scans, and findings described above.

What happens to your code

Mitari is designed so customer code is processed only to provide the service, subject to the customer's agreement and retention settings.

Processing and storage occur in Mitari's cloud environment and configured subprocessors. Enterprise customers may request details during security review.

Retention and deletion terms are governed by our current Terms of Service and Privacy Policy.

Subprocessors

Mitari uses a small set of subprocessors to operate the service, including cloud hosting, GitHub integration, model inference providers, monitoring/logging, email delivery, and payment processing. Enterprise customers may request the current subprocessor list during review.

Where available, Mitari uses model provider configurations or contractual terms designed to prevent customer code from being used for model training.

Data protection

Encryption in transit

HTTPS/TLS for network communication.

Encryption at rest

Data stored in managed infrastructure with encryption at rest where supported.

Tenant isolation

Customer data is logically separated by account and organization.

Access controls

Internal access is limited to authorized personnel with a business need.

Private repository contents are never publicly exposed. Hosting region details are available to enterprise customers on request.

Authentication and access

Enterprise customers may use SSO/SAML where supported. API access is controlled through scoped API keys that can be rotated or revoked. Mitari applies rate limits and internal least-privilege access controls, with MFA required for sensitive internal systems.

Customer controls

You stay in control of what Mitari processes and retains.

Compliance posture

Mitari is currently pre-SOC 2. We support enterprise security reviews and can provide a DPA and CAIQ-style security responses on request. Mitari is designed to support privacy obligations under frameworks such as GDPR and CCPA, subject to the applicable customer agreement and data processing terms.

Incident response

Mitari maintains an incident response process for identifying, triaging, investigating, and remediating security events. If we determine that a security incident affects customer data, we will notify affected customers in accordance with applicable law and contractual commitments.

Vulnerability disclosure

To report a vulnerability, contact info@mitari.ai.

Please include a description of the issue, the affected endpoint or workflow, reproduction steps, and any relevant screenshots or logs. Do not access, modify, or exfiltrate data that does not belong to you.

Security reviews & enterprise questionnaires

For security reviews, DPAs, CAIQ requests, or enterprise questionnaires, reach out and our team will help. You can also talk to us about enterprise deployments.

Contact info@mitari.ai

This page summarizes Mitari's security posture. For contractual terms governing data use, retention, deletion, and privacy rights, please review our Terms of Service and Privacy Policy.

Last updated: June 2026