Read PRRead PR
Install on GitHub

Security

Built to live in your CI.

Read PR runs inside your GitHub workflow and your reviewers' browsers. Here is what that means for your data.

Source code
Read PR never stores the contents of your code. The browser extension does not transmit diff bodies, file contents, or selections to our servers. The GitHub App reads file metadata (paths, additions, deletions) only — required to apply per-glob rules.
Reading data
We store dwell time per file, per reviewer, per pull request — and the GitHub identifiers needed to attribute it. Per-PR reading state is purged when the PR closes; aggregate reviewer history is purged 90 days later unless retention is extended for compliance.
Encryption
All traffic is TLS 1.3. Stored data is encrypted at rest with AES-256. Database backups are encrypted and access-logged.
Access control
Workspace data is partitioned by GitHub installation ID. Every API request enforces workspace membership via assertApiUser at the route boundary. Internal access is on-call only, audit-logged, and reviewed quarterly.
Open source extension
The browser extension is open source. Every byte it sends to readpr.dev can be audited in the public repository. We publish signed releases and a SHA256 of the published bundle on each version tag.
GitHub App permissions
Read-only access to pull requests, contents (paths only), and checks. Write access to checks (to post the read-pr/reviewed status). No write access to code, no admin access, no secrets access.
Vendor security
Hosted on Vercel (US-East). Database on Neon Postgres (encrypted, point-in-time recovery). Cache and queue on Upstash (TLS, region-pinned). Email on Resend (no marketing tracking pixels).
Compliance
SOC 2 Type II is in progress with a planned report date in Q3 2026. GDPR data-processing addendum available on request. HIPAA is not in scope — Read PR is not designed for protected health information.
Vulnerability disclosure
Report security issues to security@readpr.dev. We aim to acknowledge within 24 hours and triage within 72. We will credit reporters who request it. There is no bug bounty cash program yet — that is on the roadmap.
Subprocessor list
GitHub (auth + webhook source), Vercel (hosting), Neon (database), Upstash (cache + queue), Resend (transactional email), Stripe (billing). The current list lives at /security/subprocessors.

Need a SIG, SOC 2 report, DPA, or a custom retention policy? Email security@readpr.dev.

Read PR progress

Make the next approval mean something.

Two minutes to install. Free for public repos. The first private repo is on us.

Install on GitHubSetup guideTalk to a human