Security & Privacy

How Nebulayer handles your code and data

What We Access

Permission	Scope	Why
Repository contents	Read-only	To read file trees, file contents, and parse imports/exports for visualization
Repository metadata	Read-only	To list repo names and detect default branches

What we don't access

✕We never write to your repositories
✕We never access issues, pull requests, or wikis
✕We never access your email, SSH keys, or billing info
✕We never access repos you haven't explicitly granted

How Authentication Works

Sign in — identity only

We use GitHub OAuth to learn your username and avatar. That's it. No repository scope is requested at this step. We can't see any of your repos from sign-in alone.

Connect repositories — you choose

You install the Nebulayer GitHub App and choose exactly which repos to share. This happens on GitHub's own interface — we can't see repos you don't select.

You can modify or revoke access anytime from your GitHub Settings → Applications → Installed GitHub Apps.

What Happens to Your Code

During analysis

→File contents are fetched via GitHub's API and parsed in memory on our server
→We extract: file paths, import/export statements, and line counts
→The raw source code is NEVER stored — not in our database, not on disk, not in logs
→After parsing, the source code exists only in server memory during the request and is garbage collected

What we store

•Graph metadata: file paths, categories (component/hook/page/etc.), connection counts, line counts
•Timeline metadata: created dates, last modified dates, commit counts per file
•Your profile: GitHub username and avatar (from OAuth)
•Your saved repos: just the URL and last-analyzed timestamp

What we never store

✕Source code contents
✕GitHub access tokens — generated fresh per-request, expire in 1 hour, never touch our database
✕Import/export specifics beyond connection counts
✕File contents of any kind

Your Controls

Choose repos — You select exactly which repos to share during installation

Add/remove repos — Modify your installation anytime on GitHub

Disconnect — One-click disconnect from Nebulayer's settings

Revoke from GitHub — Even without visiting Nebulayer, revoke from github.com/settings/installations

Technical Details

Token lifecycle

App JWT (signed with RSA private key) → exchanged for installation access token → 1-hour expiry → never stored in database. Generated fresh per API request.

Encryption

All traffic over HTTPS/TLS. Database encrypted at rest via Supabase (AES-256).

Infrastructure

Hosted on Vercel (SOC 2 compliant). Database on Supabase (SOC 2 compliant).

Row-Level Security

All database tables use Supabase RLS policies. Users can only access their own data. Server-side writes use a service-role client that bypasses RLS only for verified operations.

Questions? Open an issue on GitHub

Last updated: February 2026