Last updated: Dec 24, 2024
This Privacy Policy describes how Tusk AI, Inc. ("we", "us", "our", “Tusk”) collects, uses, and discloses your Personal Information when you use our application Tusk ("the App"). By using the App, you agree to the collection and use of information in accordance with this policy.
At Tusk, we are deeply committed to the privacy of your data. This Privacy Policy outlines our rigorous practices and protocols designed to protect your information, emphasizing our dedication to privacy, security, and compliance with industry standards. Our objective is to maintain a secure and trustworthy environment for all our users.
Tusk leverages a suite of top-tier managed services vendors, each complying with stringent security standards, including SOC 2. Our choice of vendors reflects our unwavering commitment to security:
- Auth0: Ensures robust authentication processes. Security Information
- Google Cloud Platform: Hosts core services such as Cloud SQL, Cloud Storage, and App Engine, alongside secure logging capabilities. Security Information
- OpenAI, Anthropic & Gemini: Power our AI models for code generation. All three organizations have strict policies ensuring data security and privacy, and do not train their models on your data. OpenAI Security Information, Anthropic Security Information, Gemini Security Information.
- GitHub: Provides a secure platform for managing commits and pull requests. Security Information
- Pinecone: Aids in advanced, secure data processing. Security Information
- PostHog: Tracks product analytics and user sessions. Security Information
- Sentry: Monitors for errors and performance issues. Security Information
- Helicone: Logs LLM requests for performance monitoring. Security Information
These vendors are integral to safeguarding the integrity and security of our services, ensuring that your data is always in safe hands.
While using our App, we may collect information related to your codebase, commits, GitHub tickets, pull requests (PRs), and PR comments. However, we do train any of our models on your source code. This data is essential to understand your interaction with our App and to continually improve our services. Specifics include:
- Code Storage: The code from GitHub is fetched at runtime and is not permanently stored on our servers. Instead, we store non-readable embeddings of the codebase ensuring data privacy.
- AI Models and Data Handling: Our AI models, powered by OpenAI and Anthropic, are used for code generation. These providers do not use this data for training and retain it for only
- 30 days.Data Ownership: You retain full ownership of all data provided to and generated by the App. We use this data solely to power our products and enhance its functionality. Your data can be securely deleted upon request or post-subscription termination.
The collected data is used to automatically generate and modify PRs, provide valuable insights to improve the App, and monitor App usage and address technical issues.
To enable seamless operation and integration with your development workflow, Tusk requires specific access to GitHub repositories. Here's an overview of how we handle this access:
- Read and Write Access: We have read access for gathering necessary data related to commits, pull requests (PRs), and other repository activities. Write access is utilized to facilitate the creation of pull requests, including file creation, branch creation, and commit generation.
- Data Handling: Your files are fetched at runtime, and we do not store any files permanently on our servers. We prioritize the integrity and confidentiality of your data at every step.
- Branch Protection Compliance: Tusk fully respects and complies with GitHub's branch protection rules, ensuring that your code's security and workflow integrity are maintained:
- No Direct Pushes to Protected Branches: Tusk cannot directly push changes to your protected branches. Any modifications proposed by Tusk are submitted through the standard pull request process.
- Adherence to Review Processes: All changes made by Tusk undergo your team's established pull request review process, upholding your project's governance, coding standards, and quality checks.
- No Access to Modify Branch Protection Settings: Tusk does not have the capability to modify or update your branch protection settings. This ensures that your repository's security configurations remain under your team's exclusive control.
- Secure Authentication: We use GitHub's recommended authentication method, ensuring secure and controlled access to your repositories. The necessary installation ID is stored securely, and we maintain detailed logs of all actions taken, which users can request to review.n be securely deleted upon request or post-subscription termination.
The collected data is used to automatically generate and modify PRs, provide valuable insights to improve the App, and monitor App usage and address technical issues.
Our dedication to securing customer data is evident in our adoption of industry-leading security practices across the Tusk organization, namely:
- Secrets Management: Google Cloud Secret Manager is employed for robust secrets management.
- Network Segmentation: Separating web servers and databases enhances overall security.
- Data Retention: Customer data can be securely deleted upon request or post-subscription termination.
- Data Encryption: All REST API transmissions are HTTPS-protected, and we use TLS for data encryption.
- Cloud & Managed Infrastructure: Leveraging Google Cloud’s infrastructure ensures robust data security.
- Access Control: Stringent access controls restrict data access to authorized personnel only.
- Real-time Surveillance: Continuous monitoring ensures immediate response to potential security threats.
- Comprehensive Logging: Detailed API call logs facilitate effective security analysis and auditing.
- Multi-Tenant Architecture: Ensures logical segregation and isolation of customer data.
- Third-Party Security Compliance: We partner with third-party services that meet our high standards for security and privacy.
- Data Privacy: We are committed to protecting customer data privacy and do not sell or share data for marketing purposes.
- Authentication Standards: We utilize OAuth 2.0 for secure user authentication.
At Tusk, we are prepared to swiftly and effectively address any security incidents to minimize impact and protect our users' data:
- Detection and Identification: Our systems are monitored continuously to detect and identify any potential security incidents promptly.
- Response Team: We have a dedicated incident response team that is trained and ready to respond to security incidents.
- Containment and Eradication: Upon detection of an incident, immediate steps are taken to contain and eradicate the threat, preventing further damage.
- Recovery: We implement recovery procedures to restore any affected services or data to full functionality.
- Notification: In the event of a significant breach, affected users will be notified promptly, in compliance with relevant laws and regulations.
- Post-Incident Analysis: After an incident, we conduct a thorough analysis to identify causes, learn from the event, and implement improvements to prevent future occurrences.
Our Incident Response Plan is reviewed and updated annually to ensure its effectiveness in the face of evolving security threats.
User autonomy over their data is a cornerstone of our policy:
- Account Deletion: Users can delete their accounts at any time, which leads to the complete deletion of their data from our servers and third-party services.
- Data Export: Users can request a comprehensive data export at any time.
- Email addresses: If you connect a third-party ticketing service (e.g., Jira, Linear, etc.) we may fetch email addresses of users assigned to issues in order to sync them to GitHub users. We do not store this data and fetch it at runtime as needed.
Our commitment to transparency extends to how we communicate policy changes:
- Updates Notification: Any changes to our Privacy Policy will be posted on our website. We advise users to review the policy periodically for updates.
- Effective Dates: Changes are effective upon posting on our website.
We at Tusk value our users' feedback and are committed to addressing any security concerns they may have. The following is our process for taking user feedback into account:
- Open Communication Channels: Users are encouraged to report any security concerns or vulnerabilities they may encounter through our dedicated support channel at security@usetusk.ai.
- Feedback Review: All feedback and concerns are reviewed by our security team and are used to guide improvements in our security practices.
- User Collaboration: We believe in collaborating with our user community to enhance the security of our platform. Suggestions and feedback are not only welcomed but are an integral part of our security strategy.
- Transparency in Updates: When user feedback leads to changes or updates in our security practices or policy, we communicate these changes to all users to maintain transparency and trust.Your voice is essential to us, and we are committed to ensuring that your experience with Tusk is secure, reliable, and responsive to your needs.
For any inquiries or concerns regarding our Privacy Policy, please contact us at security@usetusk.ai.
Your voice is essential to us, and we are committed to ensuring that your experience with Tusk is secure, reliable, and responsive to your needs.
