πŸ” Enterprise-Grade Security

Security at CommitMind

CommitMind is designed with developer privacy and security as core principles. We believe in radical transparency: this page explains exactly how we protect your data, code, and intellectual property.

πŸ”’ End-to-End Encryption
πŸ”„ Stateless Processing
🚫 No Data Training
πŸ›‘οΈ Abuse Protection

Secure Architecture

CommitMind operates as a stateless AI processing platform. We follow security best practices and industry standards:

πŸ”
TLS 1.3
All communication encrypted with modern protocols
πŸ”„
Stateless
No persistent storage of Git diffs
πŸ›‘οΈ
WAF
Web Application Firewall protection
πŸ“Š
Monitoring
24/7 automated threat detection
  • Encryption in Transit: All API communication occurs over secure HTTPS connections with TLS 1.3.
  • Infrastructure Security: Our infrastructure is protected by modern cloud security practices, including DDoS protection, WAF, and intrusion detection.
  • Access Control: Server access is strictly restricted using multi-factor authentication and principle of least privilege.
  • Rate Limiting: Internal systems are protected using sophisticated rate limiting and abuse detection mechanisms.
Stateless by Design: CommitMind processes your Git diffs in memory only during generation. Once the AI response is delivered, all trace of your diff is permanently discarded.

Git Data Handling

Your code is your intellectual property. We treat it with the utmost respect:

  • Temporary Processing Only: Git diffs are processed temporarily and discarded immediately after the AI response is generated.
  • No Persistent Storage: Git diffs are never permanently stored in any database, log, or backup.
  • No Indexing: Repository contents are not indexed, cached, or saved for any purpose.
  • No Direct Access: CommitMind does not access your Git repository directly. Only the diff text explicitly sent by the extension is processed.
  • Memory-Only: Diffs exist only in volatile memory during the request lifecycle and are garbage-collected immediately.
Your Code Stays Yours: We cannot see your full repository, we cannot access your files, and we never store your diffs. This is not just policyβ€”it's engineering.

AI Model Privacy

We are committed to ensuring your data is not used to train AI models:

  • No Training: CommitMind does not use your Git diffs or generated commit messages to train our AI models or any third-party AI models.
  • On-Demand Generation: AI responses are generated on-demand and are not retained for any purpose.
  • Third-Party Processing: AI requests may be processed by third-party AI providers such as OpenAI or Anthropic.
  • Provider Policies: These providers process requests according to their own privacy policies. We recommend reviewing them:
Important: When using our default AI provider (not BYOK), your diff is sent to their API for generation. However, we ensure that no identifying information is included beyond the diff itself.

Bring Your Own API Key (BYOK)

For maximum privacy and control, Pro users can use their own AI provider API key:

πŸ’»
Local Storage
Key stored only in your extension
🚫
No Server Copy
CommitMind servers never store your key
  • Local Storage: Your API key is stored locally within the CommitMind VS Code extension on your device.
  • No Persistence: CommitMind servers do not store or persist your API keys in any form.
  • Transmission Only: The key is transmitted only when generating AI responses and is not logged.
  • Full Control: You remain fully in control of your AI provider usage, billing, and data handling.
  • Encryption: Keys are encrypted in transit using TLS and are never exposed in logs.
Maximum Privacy: With BYOK, your diffs go directly from your machine to your chosen AI provider. CommitMind acts only as a smart proxyβ€”we never see your key, and your data bypasses our systems entirely.

Platform Abuse Protection

To protect system stability, ensure fair usage, and prevent malicious activity:

⏱️
Daily Limits
20/200 operations per day
πŸ”„
Rate Limiting
Per-endpoint throttling
πŸ€–
Bot Detection
Automated abuse monitoring
🚫
Account Suspension
For terms violations
  • Daily Operation Limits: Free: 20 operations/day | Pro: 200 operations/day
  • Rate Limiting: Sophisticated rate limiting on all API endpoints to prevent DoS attacks.
  • Abuse Detection: Automated monitoring systems detect and respond to suspicious patterns in real-time.
  • Behavioral Analysis: Unusual usage patterns trigger additional verification or temporary blocks.
  • Enforcement: Violations may result in temporary suspension or permanent account termination.

Account Security

We implement multiple layers of security to protect user accounts:

  • Secure Session Management: HTTP-only cookies, CSRF protection, and secure session handling.
  • Authentication Controls: Strong password policies and optional two-factor authentication (coming soon).
  • Login Monitoring: Detection of suspicious login attempts and geographic anomalies.
  • Automatic Logout: Inactive sessions are automatically terminated.
  • Breach Protection: Regular security audits and penetration testing.
Pro Tip: Use a strong, unique password for your CommitMind account. Never share your credentials and enable 2FA when available.

Responsible Disclosure

We believe in working with the security community to keep CommitMind safe for everyone.

πŸ” Found a Vulnerability?

If you discover a security vulnerability in CommitMind, we encourage responsible disclosure. We commit to responding quickly and transparently.

security@commitmind.com

What to include: Description of the vulnerability, steps to reproduce, potential impact, and your contact information. PGP encryption is available upon request.

⏱️ We aim to acknowledge receipt within 24 hours and provide regular updates on progress.
πŸ”’ No retaliation policy
⭐ Bug bounty coming soon
πŸ“ Hall of fame

Security Updates

CommitMind processes Git diffs temporarily during AI generation and does not permanently store repository data. All diff data is discarded immediately after the AI response is generated.

We continuously improve CommitMind's security practices and infrastructure to protect users and maintain platform stability.

  • Continuous Improvement: We regularly deploy security updates and infrastructure improvements.
  • Security Patches: Critical security fixes may be deployed without prior notice when necessary.
  • Dependency Monitoring: Dependencies are monitored and updated when known vulnerabilities are discovered.
  • Secure Communication: All communication between the CommitMind extension, our servers, and AI providers is encrypted using HTTPS.
  • Abuse Protection: Rate limiting and daily usage limits help protect the platform from abuse.
Responsible Disclosure: If you discover a security vulnerability, please report it to security@commitmind.com.
Back to top

Last security review: April 9, 2026 β€’ Questions? security@commitmind.com