Coefficient
Coefficient Security Overview
Executive Summary
At Coefficient, security is a core principle. We build our platform to protect your data, ensure privacy, and maintain control over your code. Our integrations with Slack and GitHub are designed to streamline workflows without compromising security.
Why Customers Can Trust Coefficient:
- Sensitive data and credentials are encrypted at rest and in transit.
- Your code is never stored or used for AI training. Only the changes in pull requests are analyzed when AI review is enabled.
- Access is limited: We only request permissions necessary to operate.
- All actions are audited and logged for transparency.
- Our infrastructure is hosted on secure, trusted cloud services (Railway, MongoDB Atlas).
This overview highlights how we protect your data, your code, and your workflows.
1. Data Protection
Encryption at Rest: All credentials and sensitive information are encrypted using industry-standard AES encryption.
Encryption in Transit: All network communications use HTTPS/TLS.
Data Minimization: We collect only what's necessary for the platform to function: PR metadata, PR diffs (optional AI review), Slack user IDs, and subscription preferences.
Backups & Retention: Automated, redundant backups with point-in-time recovery.
2. Access to Your Code
Your Code Stays Yours: Coefficient only processes pull request changes for analytics or AI review (Business AI tier). Full repositories are never accessed.
AI Review: Only changed lines, titles, and descriptions are sent to our AI provider (Anthropic Claude). No full repos, no commit histories, no unchanged files.
Control: Teams can enable or disable AI review at any time.
Authentication: OAuth 2.0 and secure tokens ensure only authorized access.
3. Infrastructure Security
Cloud Hosting: Railway PaaS with HTTPS/TLS and DDoS protection.
Database Security: MongoDB Atlas with encryption, backups, and geographic redundancy.
Network Controls: Only application servers access databases and job queues.
Monitoring: Logs, alerts, and performance monitoring to detect issues quickly.
4. API & Integration Security
Secure APIs: JWT-based authentication, role-based access, and input validation.
Webhook Verification: Slack and GitHub requests are verified to prevent tampering.
Rate Limiting: Prevents abuse of APIs or integrations.
5. Employee Access & Internal Controls
Least Privilege: Employees have only the access necessary for their role.
Audit Logging: All administrative actions are logged with timestamp, user, and action details.
Security Training: Regular training and secure practices enforced.
Background Checks: Employees with access to production systems undergo checks and gradual access escalation.
6. Compliance & Standards
Security Frameworks: Follows OWASP Top 10, OAuth 2.0, JWT, AES encryption, TLS/HTTPS.
Third-Party Security: Slack, GitHub, Paystack, MongoDB Atlas, and Anthropic meet industry compliance standards (SOC2, ISO 27001, PCI DSS).
Incident Response: Prompt detection, mitigation, root cause analysis, and customer notification when needed.
7. Customer Responsibilities
- Enable two-factor authentication on Slack and GitHub.
- Limit Coefficient access to necessary repositories/channels.
- Regularly review authorized users and apps.
- Monitor activity and report suspicious behavior promptly.
8. Continuous Improvement
Coefficient continuously improves security via:
- Regular audits and code reviews
- Dependency updates and patching
- New security features (per-customer encryption, endpoint rate limiting)
- Customer feedback integration