Skip to content
DocuBot documentation

Security and compliance overview

DocuBot is designed to transform your code into documentation while maintaining the integrity and privacy of your intellectual property. This overview explains how the platform handles your data, manages access, and ensures a secure environment for your documentation sites.

Security model summary

DocuBot uses a layered security model to protect your account and your source code. Access management relies on industry-standard protocols to ensure that only authorized users can manage documentation projects.

User authentication

You access the DocuBot dashboard exclusively through Google Sign-In. This approach leverages Google’s robust security infrastructure, including multi-factor authentication (MFA), to verify your identity. DocuBot does not store or manage your passwords directly.

Repository access

To generate documentation from private repositories, DocuBot uses GitHub OAuth. When you connect your GitHub account, you grant DocuBot specific, limited permissions to read your repository content. You can revoke this access at any time through your GitHub settings or the DocuBot dashboard.

Role-based management

The platform uses internal roles to ensure that only the owner of a documentation project can modify its settings, trigger manual syncs, or delete the project. Public documentation sites are served as static content, which inherently reduces the attack surface compared to dynamic applications.

Data handling and privacy

Your source code is your most valuable asset. DocuBot treats it as temporary data during the documentation generation process.

Ephemeral processing

When a sync job starts, DocuBot retrieves a copy of your repository to analyze it. This processing happens in an ephemeral environment. Once the AI generates the documentation and the static site is built, the copy of your source code is permanently deleted from the processing environment. DocuBot does not keep a permanent mirror of your source code.

Static output storage

The final documentation is published as static HTML, CSS, and JavaScript. These files are stored in secure cloud storage. Because the published site is static, it doesn’t require a database or runtime code execution to serve pages to your users, which eliminates common web vulnerabilities like SQL injection.

Token encryption

Any sensitive integration data, such as GitHub OAuth tokens, is encrypted at rest. This ensures that even in the unlikely event of unauthorized data access, your credentials remain protected.

Compliance scope

DocuBot is built on secure, enterprise-grade cloud infrastructure that adheres to global security standards.

  • Infrastructure security: The platform runs on infrastructure that maintains various certifications, including SOC 2 and ISO 27001.
  • Encryption in transit: All communication between your browser, the DocuBot dashboard, and the generated documentation sites is encrypted using HTTPS and TLS protocols.
  • AI privacy: DocuBot uses privacy-focused AI processing. Your repository content is used solely to generate your specific documentation and is not used to train foundation models for other users.

Administrative security controls

As an administrator, you have several tools to manage the security posture of your documentation.

  • Slug reservation: You define a unique URL slug for your documentation. Once reserved, this slug is tied to your account to prevent “squatting” or impersonation.
  • Sync scheduling: You control the frequency and timing of repository scans. You can set these to run monthly, weekly, or daily, or keep them manual to ensure docs only update when you’re ready.
  • Ignore patterns: You can configure ignore patterns to exclude specific directories or files from being analyzed. This is useful for keeping sensitive configuration files or third-party libraries out of the documentation context.

Reporting security issues

We take security concerns seriously. If you discover a potential vulnerability or have questions about our security practices, please reach out to our support team immediately.