CommentaryMarkdown PR reviewLegal
Docs
Legal

Security

Effective March 18, 2026Last updated April 22, 2026

This page is a plain-language summary of Commentary’s current security posture. It is not a promise of formal certification, audit status, or a guarantee that incidents will never occur.

Authentication and access control

Commentary uses provider-native authorization as the default sign-in path, including GitHub App user authorization and Microsoft Entra authentication for Azure DevOps. Commentary also supports personal access tokens where workflow requirements make that necessary.

Authenticated actions, such as commenting, replies, and private repository access, depend on the connected provider identity and repository access available to the user. Interactive review actions continue to run as that connected provider user.

Application protections

Commentary applies baseline browser and transport protections including a Content Security Policy, frame restrictions, `X-Frame-Options: DENY`, `X-Content-Type-Options: nosniff`, referrer controls, and HSTS on secure requests.

Write-heavy routes such as auth callbacks, PAT validation, review-thread mutation, refresh, review submission, and webhook ingestion are rate limited and enforce bounded request-body sizes.

Commentary also maintains privacy-safe request telemetry and operational monitoring intended to detect service failures and abnormal behavior quickly.

Data protection and infrastructure

Commentary uses Azure-backed infrastructure to host and operate the service. Auth tokens and refresh material are stored encrypted at rest using the service encryption key configured by operators.

App-native review state is separated from raw provider state where practical so Commentary can preserve local review history, re-anchor comments after source changes, and stage provider sync safely before submission.

Operational retention

Commentary applies operational retention windows to limit long-lived auth and diagnostic data. OAuth state is retained for 1 day, expired sessions and revoked or expired provider connections for 30 days, webhook deliveries for 30 days, background jobs for 14 days, thread sync events for 90 days, thread anchor events for 180 days, and refresh events for 30 days.

Commentary also supports support-driven repository review-data deletion when a workspace owner needs data removed outside the standard retention schedule.

Reporting security concerns

To report a security concern, contact support@commentary.dev and include enough detail for reproduction, impact assessment, and a secure response process.

Commentary also publishes a machine-readable contact record at `/.well-known/security.txt`.