Security at TrimCI
TrimCI is built around one promise: we analyze your CI/CD pipelines without ever touching your source code. This page describes, in concrete terms, what we access, how we protect it, and where your responsibilities begin. We would rather show you specifics than badges.
1. What we never access
We never read your source code, workflow YAML files, commit diffs, or any repository file. Our GitHub App requests only two read-only permissions (Actions and repository metadata) — never repository contents. GitLab's API offers no scope that narrow, so we enforce the boundary ourselves: a runtime allowlist inside our HTTP clients rejects any request outside pipeline, job, and project-listing endpoints before it leaves our servers. Extending that allowlist requires a code change and a code review — an accidental request into repository contents is technically impossible.
2. What we do process
- Account data: your email address and a salted password hash.
- Pipeline metadata: run and job names, timing, durations, statuses, conclusions, branches, trigger events, and the username of the person who triggered each run.
- Failed-job log excerpts: the last 8,000 characters of failed jobs only, stored compressed, automatically deleted after 30 days.
- Web analytics: cookie-less, self-hosted page-view records on our own EU servers — no raw IP stored, irreversible daily-rotating visitor identifier, no third-party analytics vendor.
- Product-milestone events: records that an account or organization reached a service milestone (e.g. first sync, first report); detached from the account on deletion.
3. Hosting and infrastructure
The service runs on Hetzner infrastructure in the European Union. The application, databases, queues and the AI model live in the same isolated environment; databases are not exposed to the public internet. Data does not leave the European Economic Area — see the sub-processor list.
4. Encryption
- In transit: all traffic — browser to TrimCI, and TrimCI to provider APIs — uses TLS.
- At rest: CI provider credentials (GitLab tokens) are encrypted with Fernet (AES-based) before storage; GitHub access uses short-lived installation tokens minted per request.
- Credentials hygiene: authorization headers are redacted from logs; passwords are stored only as salted hashes.
5. AI processing — self-hosted by design
Optimization recommendations are generated by a language model hosted on our own infrastructure. Your logs and pipeline data are never sent to OpenAI, Anthropic, or any external AI provider. Before a log excerpt reaches the model, known secret formats (cloud keys, provider tokens) are redacted.
6. Access control
Every account requires email verification. Data is isolated per organization, and the organization context is validated on every request — a user can only ever see data of organizations they belong to. Management actions (connecting providers, selecting repositories, generating recommendations) are restricted to owner and admin roles.
7. Data retention and deletion
| Data | Retention |
|---|---|
| Failed-job log excerpts | 30 days, automatic permanent deletion |
| Pipeline metadata | Life of the organization; deleted when the organization is deleted |
| Account data | Until account deletion |
| Web analytics records | Kept as service statistics; no raw IP, irreversible visitor identifier (daily salt rotation) |
| Product-milestone events | Kept as service statistics; detached from the account on deletion |
8. Your responsibilities
- Grant least scope: use the read_api scope for GitLab tokens (group tokens recommended), and install the GitHub App only on the repositories you want analyzed.
- Keep organization membership current: remove members who leave your team, and rotate provider tokens on offboarding.
- Protect your account credentials; TrimCI will never ask for your password by email.
- Avoid printing secrets or personal data in CI logs — log excerpts of failed jobs reach the service (with secret redaction as a safety net, not a substitute).
9. Reporting a vulnerability
If you believe you have found a security vulnerability, email office@trimci.com with "SECURITY" in the subject. We respond within 72 hours. We will not pursue legal action against good-faith research that respects user data and does not disrupt the service.
10. Compliance posture
We are GDPR-first: an EU-registered business, EU-only hosting and processing, a public Privacy Policy, a self-serve Data Processing Agreement that applies to every organization automatically, and a published sub-processor list. We do not currently hold a SOC 2 attestation — at our size we invest in the concrete measures on this page instead, and this page is kept current as the service evolves.
11. Changes and contact
Material changes to our security posture are announced to customers and reflected here with an updated date. Security questions: office@trimci.com.