Security at Mitari
Mitari is built with a security-first posture for teams verifying sensitive data, analytics, and ML code. We are currently pre-SOC 2 and designed to support enterprise security reviews.
Least-privilege access
Mitari only accesses the repositories and files needed to provide reviews, scans, and findings — limited to what your GitHub administrators authorize.
Customer-controlled retention
Request data deletion, set retention policies where supported, and opt out of AI training or secondary use beyond service delivery.
Enterprise review support
We support security reviews and can provide a DPA and CAIQ-style security responses on request.
What Mitari accesses
Mitari only accesses the repositories and files needed to provide the product: PR reviews, repository scans, Observability, API-based reviews, and related findings. GitHub App access is limited to repositories authorized by the customer's GitHub administrators.
- Scoped GitHub App access — limited to the repositories a customer authorizes.
- Review context only — Mitari processes the pull request and code-review context necessary to provide reviews, scans, and findings.
- API inputs — limited to code and files submitted by the customer through Mitari's API.
- Disable without removing access — customers can disable repositories in Mitari without removing the GitHub App installation.
- GitHub is the source of truth — GitHub remains authoritative for GitHub App installation permissions.
Current GitHub App permissions are shown during installation. Mitari requests only the access required to operate the reviews, scans, and findings described above.
What happens to your code
Mitari is designed so customer code is processed only to provide the service, subject to the customer's agreement and retention settings.
- Processed to generate findings — code is analyzed to produce review findings, scans, and Observability insights.
- Not used to train foundation models — Mitari does not use customer code to train third-party foundation models.
- Opt out of secondary use — customers may opt out of any AI training or use beyond service delivery.
- Deletion on request — customers may request deletion of submitted data.
- Retention policies — customers may request retention policy settings for their account where supported.
Processing and storage occur in Mitari's cloud environment and configured subprocessors. Enterprise customers may request details during security review.
Retention and deletion terms are governed by our current Terms of Service and Privacy Policy.
Subprocessors
Mitari uses a small set of subprocessors to operate the service, including cloud hosting, GitHub integration, model inference providers, monitoring/logging, email delivery, and payment processing. Enterprise customers may request the current subprocessor list during review.
- Cloud hosting provider
- GitHub (source integration)
- Model inference provider(s)
- Monitoring and logging
- Email / transactional messaging
- Payment processing (billing only)
Where available, Mitari uses model provider configurations or contractual terms designed to prevent customer code from being used for model training.
Data protection
Encryption in transit
HTTPS/TLS for network communication.
Encryption at rest
Data stored in managed infrastructure with encryption at rest where supported.
Tenant isolation
Customer data is logically separated by account and organization.
Access controls
Internal access is limited to authorized personnel with a business need.
Private repository contents are never publicly exposed. Hosting region details are available to enterprise customers on request.
Authentication and access
Enterprise customers may use SSO/SAML where supported. API access is controlled through scoped API keys that can be rotated or revoked. Mitari applies rate limits and internal least-privilege access controls, with MFA required for sensitive internal systems.
- SSO/SAML — available for enterprise customers.
- Scoped API keys — keyed to customer/account/org use, with rotation and revocation.
- Rate limits — applied to protect the service.
- Internal least-privilege — combined with MFA for sensitive internal systems.
- Admin controls — organization admins manage members and access.
Customer controls
You stay in control of what Mitari processes and retains.
- Disable repositories in Mitari to stop future processing and credit usage.
- Request deletion of submitted data.
- Set or request retention policies for your organization.
- Opt out of AI training or secondary use beyond service delivery.
- Rotate or revoke API keys.
- Manage GitHub App repository access directly in GitHub.
Compliance posture
Mitari is currently pre-SOC 2. We support enterprise security reviews and can provide a DPA and CAIQ-style security responses on request. Mitari is designed to support privacy obligations under frameworks such as GDPR and CCPA, subject to the applicable customer agreement and data processing terms.
- SOC 2 — currently pre-SOC 2.
- DPA — available on request.
- CAIQ — CAIQ-style responses available on request.
- GDPR / CCPA — designed to support these obligations, subject to the customer agreement.
- Security questionnaires — enterprise questionnaires accepted.
Incident response
Mitari maintains an incident response process for identifying, triaging, investigating, and remediating security events. If we determine that a security incident affects customer data, we will notify affected customers in accordance with applicable law and contractual commitments.
Vulnerability disclosure
To report a vulnerability, contact info@mitari.ai.
Please include a description of the issue, the affected endpoint or workflow, reproduction steps, and any relevant screenshots or logs. Do not access, modify, or exfiltrate data that does not belong to you.
Security reviews & enterprise questionnaires
For security reviews, DPAs, CAIQ requests, or enterprise questionnaires, reach out and our team will help. You can also talk to us about enterprise deployments.
Contact info@mitari.aiThis page summarizes Mitari's security posture. For contractual terms governing data use, retention, deletion, and privacy rights, please review our Terms of Service and Privacy Policy.
Last updated: June 2026