Security & Permissions

Updated: 25th January 2026

We believe transparency is essential to trust. This page explains exactly what Pull Checklist can access, what data we read, what actions we can take, and which third-party services are involved. Use this page for your compliance reviews and security assessments.

If you require a formal security walkthrough, questionnaire support, or extended data retention, these are available under our Enterprise plan.

Repository Access

Pull Checklist uses a GitHub App to access your repositories. This means you have complete control over which repositories we can see.

How Access Works

  • You choose which repositories to grant access to during installation. You can select specific repositories or grant access to all repositories in your organization.
  • Repositories not granted cannot be seen by Pull Checklist. We have no visibility into repositories you have not explicitly authorized.
  • You can modify access at any time through your GitHub App installation settings. Add or remove repositories as your needs change.
  • Revoking access is instant. Uninstall the GitHub App or remove specific repositories, and we immediately lose all access.

Why Some Repositories May Not Appear

If a repository does not appear in Pull Checklist, it may be because:

  • The GitHub App is not installed for that repository
  • You selected specific repositories during installation and did not include it
  • Organization policies restrict third-party app access

Data Scope

Below is exactly what Pull Checklist reads and what we never access. We follow the principle of minimal data access and only read what is necessary to provide checklist functionality.

What We Read

  • Pull Request Metadata

    Title, author, timestamps, labels, and status

  • Pull Request Diffs

    Code changes in open pull requests only. Processed in memory for conditional rule evaluation and never stored. No historical access.

  • File Paths Changed

    Names and paths of files modified in the pull request

  • Review Status

    Approval status, requested reviewers, and review comments

  • Commit Messages

    Commit messages associated with pull requests

  • PR Descriptions

    The description text you write for pull requests

What We Never Read

  • Source Code or Repository Contents

    Repositories are never cloned. No access to files outside of PR diffs.

  • Code Outside Active Pull Requests

    Historical code, closed PRs, and branches not in an open PR are inaccessible

  • Secrets or Credentials

    Environment variables, API keys, or tokens

  • Production Systems

    No access to runtime environments, databases, or deployed infrastructure

  • Other GitHub Data

    Projects, wikis, discussions, or actions logs

Permissions & Actions

Below are the GitHub permissions we request and why, plus a clear list of what we can and cannot do with your repositories.

GitHub Permissions Requested

PermissionAccess LevelPurpose
Pull RequestsRead & WriteRead PR details and post checklist comments
ChecksWriteCreate status checks to show checklist completion
IssuesReadRead issue references linked in pull requests
Repository MetadataReadRead repository name, settings, and collaborators
WebhooksRead & WriteReceive notifications when PRs are opened or updated

What Pull Checklist Can Do

  • Post checklist comments on pull requests
  • Create and update status checks
  • Request reviews from team members
  • Read pull request metadata and comments

What Pull Checklist Cannot Do

  • Merge pull requests
  • Modify, delete, or commit code
  • Access repository contents or source files
  • Change repository settings or permissions
  • Access data from repositories not granted
  • Delete branches, issues, or comments

Third-Party Services

Pull Checklist uses the following third-party services. Links to their security documentation are provided for your review.

GitHub

Core API integration for pull request functionality

Security documentation →

Render

Application hosting, managed PostgreSQL, and Redis (US-East region)

Security documentation →

BetterStack (Logtail)

Structured application logging. Receives request logs including URL paths, user IDs, and IP addresses.

Security documentation →

PostHog

Privacy-focused product analytics (EU hosted)

Security documentation →

Intercom

Customer support and help chat. Receives user ID, GitHub handle, and email for authenticated users.

Security documentation →

Data sharing: We do not sell your data. Third-party services only receive the minimum data necessary for their function. Repository code and content are never shared with analytics or support services.

Questions?

Security walkthroughs, questionnaires, and compliance reviews are handled under our Enterprise plan. To get started, book a call at cal.com/pullchecklist/30min or email hello@pullchecklist.com.