standupai
Start free

Security

Security at StandupAI

StandupAI handles engineering activity with the same rule the product uses everywhere: activity, not surveillance. We collect the minimum work signals needed to draft a standup, keep developers in control of what gets shared, and make every connected scope visible.

We do not train models on customer data.

We do not sell activity data.

We do not publish updates until a human reviews them.

We support deletion requests through privacy@standupai.com.

Connected tools

What StandupAI can access

These are the current integration scopes used by the app. We keep the table explicit so developers can see exactly what they are authorizing before they connect a tool.

ToolScopeUsed forLimit

GitHub

repo, read:user

Pull request, commit, review, and author metadata used to draft standups.

StandupAI does not score developers or publish anything automatically.

Linear

read

Issue status, assignee, and cycle context for the work you connect.

Read-only access. Disconnecting removes future sync access.

Jira

read:jira-work, read:jira-user, offline_access

Ticket status, assignee, project, and issue metadata needed for updates.

Refresh access is used only to keep authorized work signals current.

Slack

chat:write, users:read, users:read.email, channels:history, im:write

Team routing, user lookup, standup reminders, and selected channel context.

Channel history is for authorized work channels, not private productivity monitoring.

Human-reviewed sharing

Drafts stay private until the developer reviews and submits them. No standup is posted from raw activity without that review step.

Encrypted tokens

OAuth tokens are encrypted by the application before storage using the configured encryption key, and all traffic runs over TLS.

Org-scoped access

Workspace data is scoped to the authenticated organization. Admin-only settings protect billing and bring-your-own-key controls.

Data minimization

StandupAI stores the work signals needed to generate drafts, source links, and standup history. It avoids individual productivity rankings.

AI data handling

Customer activity is used to generate the requested draft or digest. StandupAI does not use customer data to train models, and provider retention follows the configured production agreement for the workspace.

Retention and deletion

Standup history follows the plan limit shown on pricing. Deleted accounts and workspaces can request deletion through privacy@standupai.com, with completion tracked within 30 days.

Compliance status

SSO and audit controls are planned for Enterprise. SOC 2 is not claimed today. To report a vulnerability, email security@standupai.com.

Developer trust rule

StandupAI should feel like a draft assistant, not a monitoring system. Managers see submitted updates, source-linked blockers, and team-level health. They do not get an automatic individual productivity score.