Trust & security

Honest specifics, not vague assurances.

SmartRetro reads your team's working signals continuously. That only works if you can answer — precisely — what we read, what we store, and what we never do. This page is that answer.

How we operate

Six commitments you can check.

We read only what we need

Channels you subscribe, public events in repos you connect. Installation is default-off — no channel is read until an admin opts it in. Never DMs.

We don't store source code

Architectural rule, not a soft policy. PR titles, review latency, and deploy events — never diffs, never file contents, never repository code.

Your AI calls, your provider

AI analysis runs through your own LLM provider key — Anthropic, OpenAI, or equivalent — under your contract and your provider's data terms, not ours.

Individual opt-out, enforced

Anyone on the team can opt out of being analyzed or surfaced — enforced at capture, analysis, and surfacing, across every integration at once.

We show our work

Every surfaced pattern carries clickable provenance back to the source messages, PRs, or events it came from. Every admin action lands in an append-only audit log.

Quiet by default

Surfacing thresholds ship conservative. Verbosity is a per-channel dial your admins control — not a firehose you have to tame.

The data flow

Bring your own AI provider.

Most AI SaaS routes your data through the vendor's model account, making the vendor an AI sub-processor you have to assess. SmartRetro inverts that: your message content reaches the provider you chose, on your API key, governed by your provider agreement.

You can audit usage in your provider dashboard, configure provider-side retention and training settings yourself, and revoke the key at any time — analysis pauses, your data stops flowing.

What happens on a detection

  1. 1

    An event arrives from a channel or repo your admin subscribed.

  2. 2

    A lightweight local pre-filter scores it. Most events stop here — no model call, no data leaves.

  3. 3

    If a threshold is crossed, candidate context goes to your LLM provider via your API key.

  4. 4

    The result is stored as a pattern with provenance links — and surfaced to your team, who decide what to do.

Hard lines

What SmartRetro never does.

These are permanent architectural commitments, not phase-one deferrals.

  • No reading direct messages between humans — regardless of admin permissions.
  • No individual performance assessment. Team patterns, never person scores.
  • No predictions about individual people — attrition, burnout, or performance.
  • No autonomous decisions on team data. AI detects, surfaces, recommends — humans decide and act. Always.
  • No signal capture outside connected tools — no email, calendar, documents, or screen time.
  • No storing source code — not in repositories, not in diffs, not in commit contents.

Where we are

Current status, stated plainly.

  • Encryption — data encrypted in transit and at rest, scoped to your organization.

  • BYO LLM provider — shipped. Customer-configured provider keys govern all content-bound AI calls.

  • SOC 2 Type II and ISO 27001 — in progress. We'll publish attestations when they complete; until then we say "in progress," not "compliant."

  • Enterprise documents — MSA, DPA, and enterprise terms are being drafted for the Enterprise tier. If you need them today, talk to us.

Questions a security review will ask

Where does our data go?
Into your SmartRetro workspace, encrypted; AI-bound content goes to your chosen LLM provider on your key.
Who can see it?
Your organization's members, per your workspace settings. Access is organization-scoped at the data layer.
Can people opt out?
Yes — individually, enforced at capture, analysis, and surfacing across all integrations.
What governs the legal relationship?
Our Terms of Service and Privacy Policy. Read them — and if something there doesn't match what this page says, tell us and we'll fix it.

Still have questions?

Ask us the hard ones.

Every commitment on this page is meant to survive a fifteen-minute conversation with a skeptical engineering manager. We'd rather have that conversation early.

Email the team Join the beta