FEATURES / PRIVACY

IC-level analytics, responsibly

Individual-contributor metrics are powerful and dangerous. Gitrevio's privacy layer ships defaults that let leadership get the signal they need without turning the product into a surveillance tool. Every IC metric flows through the same five gates.

Five gates on every IC metric

min_team_size threshold

Per-customer floor (default 5). Below the floor, IC-keyed metrics aggregate to team scope automatically. Configurable per skill family.

Visibility mode

Per-customer toggle: visible_to_managers (default) vs aggregate_only. aggregate_only mode disables IC-keyed outputs across all surfaces — chat, MCP, reports, alerts.

Bot identification

git_author entries flagged as bots (heuristic + override list) are filtered from IC skills. Surfaced only in tooling-impact reports.

90-day purge on raw events

ai_assist_event.raw is purged after 90 days. Schema-enforced via a partition-drop job; retention is configurable but the default is conservative.

GDPR DSAR endpoints

Art. 15 access export and Art. 17 erasure endpoints. Per-subject PII registry maps every storage location so erasure is provably complete.

Tamper-evident audit log

Hash-chained audit log enforced by a Postgres trigger. Each row's SHA-256 digest depends on the previous row; any in-place edit breaks the chain and is detected by the daily verifier.

Write path: trigger computes SHA-256(prev_hash || row_payload) on INSERT. Rows are immutable; UPDATE and DELETE are denied by row-level security.

Read path: audit_log_read is monthly-partitioned for SOX-grade traceability and predictable retention.

Verifier: daily job walks the chain and emits a signed attestation. A break alerts on-call with the row offset and the previous-known-good checkpoint.

# audit_log row

id: 4129044

ts: 2026-05-18T14:22:01Z

actor: alice@acme.io

action: skill.run

target: attrition_risk

params: {"contributor_id":"...""}

prev_hash: 7c4b...d9e2

row_hash: 3a1f...82c0

DSAR + consent

GDPR DSAR endpoints

Art. 15 access: per-subject JSON export covering every storage location referenced in the PII registry — central DB, customer DB, audit log, raw events, backup snapshots.

Art. 17 erasure: tombstone-then-purge flow. The tombstone preserves audit-log integrity while the underlying PII is overwritten with hash references.

Cookie consent

Banner gates Google Analytics and any other non-essential cookies. No tracking pixels load before consent is given.

Consent state is per-user, per-domain, per-purpose. Granted via the banner; revocable at any time from a footer link.

Ready to See Your Engineering work clearly?

Get started free