Security and Privacy

Security and privacy

Use least privilege, keep secrets out of workflow fields, and understand privacy boundaries.

Keep secrets out of the product

Do not paste private keys, access tokens, passwords, or payment card data into alert notes, owner fields, accepted risk reasons, support forms, or MCP prompts.

Use least privilege

Grant the minimum GitHub App permissions, organization roles, and MCP token scopes required for the workflow. Review access after onboarding, offboarding, and security incidents.

Understand data boundaries

InstaSLA stores workflow and alert metadata for each organization. Private dashboard pages are no-indexed, and sensitive operational data should not be sent to analytics events.