Security is table stakes for pipeline infrastructure.
Here's exactly how SuperPlane handles your code and your pipeline data. No vague marketing — specific answers to the questions your security team will ask.
Four areas that matter.
Data handling
SuperPlane never stores source code. Only commit metadata (file paths, SHA, author) and test result summaries (pass/fail per suite, not test body content) pass through our systems. Your actual code stays on your infrastructure.
Access control
OAuth-based repo connections with minimum required scopes. Repository tokens are encrypted at rest using AES-256. Tokens are scoped to the specific repos you connect — SuperPlane cannot access repos you haven't explicitly authorized.
Network security
TLS 1.3 for all data in transit. API tokens are scoped to minimum permissions required for each integration. No inbound connections required — SuperPlane communicates outbound to your CI systems via webhook or API.
Run isolation
Each pipeline run executes in an isolated context. No cross-tenant data sharing. Provisioned environments are isolated per run and per org. All ephemeral credentials used during env provisioning are rotated per run.
What passes through SuperPlane
| Data type | Stored? | Retention | Notes |
|---|---|---|---|
| Source code | Never | — | Not accessed or transmitted |
| Commit metadata (SHA, paths, author) | Yes | 90 days | Used to build test selection model |
| Test result summaries (pass/fail) | Yes | 90 days | Per-suite outcomes only, not test code |
| Pipeline timing data | Yes | 90 days | Used for observability run log |
| OAuth tokens | Yes (encrypted) | Until revoked | AES-256 at rest, minimum scope |
| Env configuration (policy file) | Yes | Until deleted | Your policy.yml content |
Found a vulnerability?
Report it to [email protected]. We respond within 24 hours and we do not take legal action against good-faith security researchers.
Include a clear description of the vulnerability, reproduction steps, and your assessment of severity. We'll coordinate disclosure timing with you.