Security and Privacy
Security and privacy
Use least privilege, keep secrets out of workflow fields, and understand privacy boundaries.
Keep secrets out of the product
Do not paste private keys, access tokens, passwords, or payment card data into alert notes, owner fields, accepted risk reasons, support forms, or MCP prompts.
Use least privilege
Grant the minimum GitHub App permissions, organization roles, and MCP token scopes required for the workflow. Review access after onboarding, offboarding, and security incidents.
Understand data boundaries
InstaSLA stores workflow and alert metadata for each organization. Private dashboard pages are no-indexed, and sensitive operational data should not be sent to analytics events.