cubic is built by developers, for developers. We understand that your source code is your most valuable asset, so we designed our systems with security and privacy as a first-principle—not an afterthought.

Our guiding principles

  • Short-lived processing – We never permanently store your repository’s source code. Your code is fetched into an isolated, short-lived sandbox only while an AI review is running and is irreversibly deleted as soon as the job completes.
  • Encryption everywhere – All data is encrypted in transit (TLS 1.2+) and at rest (AES-256), including database records and object storage.
  • Least-privilege access – The cubic GitHub App requests the minimum scope required to perform reviews. No additional write-or-admin permissions are granted unless they are strictly necessary (see below).
  • Transparent operations – We publish this page so that every customer—current or prospective—can understand exactly how we treat their data. If you have questions, email us any time at contact@cubic.io. Our data handling practices are further detailed in our Privacy Policy and use of the service is governed by our Terms of Service.

SOC 2 status

cubic is committed to achieving SOC 2 Type II compliance to provide the highest level of security and trust for our customers. We are actively working towards this certification and have implemented many of the required controls internally (such as change management, access management, and vulnerability management). We will update this page and proactively notify customers as we progress through the formal audit process.

Permissions requested by the cubic GitHub App

Granting the following scopes allows cubic to read pull-requests, leave review comments, and update PR status checks.
ScopeAccessWhy we need it
AdministrationRead-onlyAccess repository settings and organization information
ActionsRead & writeManage GitHub Actions workflows and runs
ChecksRead & writeSurface pass/fail status checks for AI review completion
CodeRead & writeFetch the diff, surrounding context, and make changes when required
Commit statusesRead-onlyMonitor and display commit status in the cubic UI
DeploymentsRead-onlyAccess deployment information for integration purposes
IssuesRead & writeCreate and manage issues when needed
MetadataRead-onlyDisplay repository information inside the cubic UI
Pull requestsRead & writePost AI-generated review comments and resolve threads when feedback is addressed
WorkflowsRead & writeIntegrate with and manage GitHub workflow runs
Note: You can install the cubic App on a single repository or an entire organization. Access is scoped to the repositories you select during installation, and can be modified at any time from GitHub’s “Installed Apps” settings page.

How AI code review works

  1. Event trigger – Whenever a pull request is opened or updated, GitHub sends cubic a webhook describing the event.
  2. Ephemeral sandbox – A new isolated container is launched. The sandbox has no network egress.
  3. Analysis – The pull-request diff and only the necessary context needed for reviewing the PR are processed by AI models.
  4. Comment publication – The generated review comments are posted back to the PR via the GitHub API.
  5. Secure teardown – The sandbox (filesystem, memory, logs) is destroyed immediately after the review finishes.
At no point is your repository cloned to a long-lived server or stored in a database. If the review is cancelled or the PR is closed, the sandbox is destroyed right away.

AI subprocessors

cubic uses best-in-class large-language models hosted by vetted providers (currently OpenAI and Anthropic). Our agreements with these subprocessors explicitly prohibit using your data for model training. Only the minimal code snippets required for the requested analysis are transmitted, and all requests are sent over encrypted channels. If your organization prefers to completely block AI features, please contact us and we can disable them for your workspace.

Logging & metadata

We record operational metadata only—for example, the duration of a review run or the size of the diff. Neither full source code nor pull-request diffs are written to our logs.

Reporting a security issue

If you believe you have found a vulnerability in cubic, please email our security team at contact@cubic.io with the subject line “Security Vulnerability”. We investigate all reports promptly and appreciate the efforts of the security community.