Security and privacy are core to how Ngaio builds software. This page explains the measures we take to protect data across our apps, and how to report a vulnerability if you find one. Ngaio is operated by Sonny Graystone. This policy works alongside our Privacy Policy and Terms of Service.
Our approach
- We collect and retain only the data an app needs to function.
- Credentials are handled through the local operating system credential store where possible; they are not exposed to the browser.
- Each customer's data is logically isolated from other customers'.
- We rely on the secure infrastructure of established platforms such as Cloudflare rather than running our own data centers.
Hosting and infrastructure
Pull Request Viewer is a JetBrains IDE plugin that runs locally on your machine. Its credentials never leave your device except as access tokens sent directly to Bitbucket or GitHub over HTTPS. The only Ngaio-operated component it uses is a lightweight Bitbucket OAuth token-exchange proxy, which keeps the OAuth client secret out of the distributed plugin and is not designed to log, store, or reuse your tokens.
The ngaio.dev website is a static site hosted on Cloudflare.
Encryption
In transit: all connections to our website and between our apps and the services they integrate with use TLS 1.2 or higher, and our website is served with HTTP Strict Transport Security (HSTS).
At rest: Pull Request Viewer credentials are stored on your local machine using IntelliJ's PasswordSafe API, which delegates to your operating system's secure credential store (macOS Keychain, Windows Credential Manager, or a compatible Linux secret store).
Access control and data isolation
Pull Request Viewer stores credentials through IntelliJ's PasswordSafe API on your machine. For any server-side component we operate, access to production systems and stored data is limited to what is necessary to operate and support the apps.
Data retention and deletion
We retain operational data only for as long as it is needed to provide the service, except where retention is required by law. Full detail is in our Privacy Policy.
Sub-processors
We use a small set of service providers, including Cloudflare, to operate our apps and website. They are listed, along with the data they process, in our Privacy Policy.
Reporting a vulnerability
If you believe you have found a security or privacy vulnerability in any Ngaio app, website, or service, please report it to us privately at support@ngaio.dev with the subject line "Security". Please include enough detail for us to reproduce the issue — for example, the affected app or URL, a description of the vulnerability, and the steps to reproduce it.
When you report in good faith, here is what you can expect from us:
- we will acknowledge your report, typically within three business days;
- we will investigate, keep you informed of progress, and let you know when the issue is resolved; and
- we are happy to credit you for the discovery once the issue is fixed, if you would like.
Responsible disclosure guidelines
We ask that, while researching, you:
- give us a reasonable opportunity to investigate and fix the issue before disclosing it publicly;
- make a good-faith effort to avoid privacy violations, data destruction, and interruption or degradation of our services;
- only interact with accounts you own or have explicit permission to access, and do not access, modify, or delete other people's data; and
- do not run automated denial-of-service tests, spam, or social-engineering attacks.
Safe harbor. If you make a good-faith effort to comply with these guidelines during your research, we will consider your testing to be authorized, will work with you to understand and resolve the issue quickly, and will not pursue or support legal action against you in connection with your report. We do not currently operate a paid bug-bounty program.
Contact
For any security question or report, email support@ngaio.dev.