Security

Security Policy

Last updated 24 June 2026

Security and privacy are core to how Ngaio builds software. This page explains the measures we take to protect data across our apps, and how to report a vulnerability if you find one. Ngaio is operated by Sonny Graystone. This policy works alongside our Privacy Policy and Terms of Service.

Our approach

Hosting and infrastructure

Pull Request Viewer is a JetBrains IDE plugin that runs locally on your machine. Its credentials never leave your device except as access tokens sent directly to Bitbucket or GitHub over HTTPS. The only Ngaio-operated component it uses is a lightweight Bitbucket OAuth token-exchange proxy, which keeps the OAuth client secret out of the distributed plugin and is not designed to log, store, or reuse your tokens.

The ngaio.dev website is a static site hosted on Cloudflare.

Encryption

In transit: all connections to our website and between our apps and the services they integrate with use TLS 1.2 or higher, and our website is served with HTTP Strict Transport Security (HSTS).

At rest: Pull Request Viewer credentials are stored on your local machine using IntelliJ's PasswordSafe API, which delegates to your operating system's secure credential store (macOS Keychain, Windows Credential Manager, or a compatible Linux secret store).

Access control and data isolation

Pull Request Viewer stores credentials through IntelliJ's PasswordSafe API on your machine. For any server-side component we operate, access to production systems and stored data is limited to what is necessary to operate and support the apps.

Data retention and deletion

We retain operational data only for as long as it is needed to provide the service, except where retention is required by law. Full detail is in our Privacy Policy.

Sub-processors

We use a small set of service providers, including Cloudflare, to operate our apps and website. They are listed, along with the data they process, in our Privacy Policy.

Reporting a vulnerability

If you believe you have found a security or privacy vulnerability in any Ngaio app, website, or service, please report it to us privately at support@ngaio.dev with the subject line "Security". Please include enough detail for us to reproduce the issue — for example, the affected app or URL, a description of the vulnerability, and the steps to reproduce it.

When you report in good faith, here is what you can expect from us:

Responsible disclosure guidelines

We ask that, while researching, you:

Safe harbor. If you make a good-faith effort to comply with these guidelines during your research, we will consider your testing to be authorized, will work with you to understand and resolve the issue quickly, and will not pursue or support legal action against you in connection with your report. We do not currently operate a paid bug-bounty program.

Contact

For any security question or report, email support@ngaio.dev.