Arbor is a pull request review companion. It walks changed code paths and tells solo devs, small teams, and AI agents what might break before merge.

Can AI coding agents use Arbor?

Yes. Arbor produces a compact PR brief with risky paths, likely side effects, unknown edges, and the first test to write so agents can keep edits scoped.

Does Arbor work with GitHub pull requests?

Yes. Arbor installs as a GitHub App, analyzes pull requests, and comments with the breakage path reviewers should inspect.

Back to Arbor

Data Handling

Real controls, plain language.

Arbor reads code to explain PR impact, so the trust page has to be concrete. This is what exists today, what comes from managed providers, and where we still need to ship more.

Implemented controls Provider-backed infrastructure Clearly marked limits

Production controls

What is real today

Concrete controls in the running product and infrastructure stack.

provider

Encrypted transport and managed storage

Arbor is served over HTTPS. Production data lives in managed providers with encrypted storage and operational access controls.

implemented

GitHub webhook verification

Webhook payloads are verified before they enter the analysis pipeline. Unverified deliveries are rejected.

implemented

Per-installation token boundaries

GitHub API access uses installation-scoped tokens. Arbor does not intentionally reuse tokens across tenants.

implemented

No repository code execution

The analyzer parses repository code structurally. It does not run customer tests, execute application code, or evaluate scripts.

implemented

Allowlisted settings writes

User-controlled repository settings are sanitized in the Next.js API proxy before being forwarded to the Rust API.

implemented

Parameterized database access

Rust API data access uses parameter binding through sqlx. Dynamic SQL string assembly is not used for application queries.

Data handling

What Arbor stores

The key operating principle: store product results, not long-lived source snapshots.

Stored

Account and GitHub metadata

Stored

Analysis results

Verdicts, paths, PR identifiers, timestamps, run metadata, and dashboard links.

Not stored as product data

Repository source snapshots

Repos are cloned for analysis work and should be treated as ephemeral worker data, not product data.

Not stored as product data

Payment card data

Card entry and payment processing are handled by Stripe. Arbor stores billing state, not raw card numbers.

Subprocessors

Third parties in the Arbor Cloud path

These vendors may process customer data when Arbor Cloud is used.

ProviderPurposeSafeguards

GitHubApp install, OAuth, repository metadata, webhooksGitHub terms and security program

VercelFrontend hosting and edge functionsManaged platform controls

RenderRust API, workers, and managed PostgreSQLManaged platform controls

StripeCheckout, subscriptions, invoices, and payment method handlingPCI DSS Level 1

SentryError and performance telemetry when configuredPII scrubbing configured in application code

Honest limits

What is not claimed yet

No badge theater. If something is not finished, it stays named here.

Formal certification

Not claimed yet. If we do not have an external report or signed agreement, we say that plainly.

Data deletion workflow

Handled case by case until the self-serve workflow ships.

Subprocessor packet

Architecture overview, subprocessors, and data flow notes are available on request.

Paid bounty

Responsible disclosure is active. A paid bounty program is not launched yet.

Vulnerability disclosure

Found a vulnerability? Tell us first.

Email security@getarbor.dev with reproduction steps. We acknowledge reports, triage them, and coordinate disclosure with researchers who act in good faith.

security@getarbor.dev security.txt

Back to Arbor

Data Handling

Real controls, plain language.

Arbor reads code to explain PR impact, so the trust page has to be concrete. This is what exists today, what comes from managed providers, and where we still need to ship more.

Implemented controls Provider-backed infrastructure Clearly marked limits

Production controls

What is real today

Concrete controls in the running product and infrastructure stack.

provider

Encrypted transport and managed storage

Arbor is served over HTTPS. Production data lives in managed providers with encrypted storage and operational access controls.

implemented

GitHub webhook verification

Webhook payloads are verified before they enter the analysis pipeline. Unverified deliveries are rejected.

implemented

Per-installation token boundaries

GitHub API access uses installation-scoped tokens. Arbor does not intentionally reuse tokens across tenants.

implemented

No repository code execution

The analyzer parses repository code structurally. It does not run customer tests, execute application code, or evaluate scripts.

implemented

Allowlisted settings writes

User-controlled repository settings are sanitized in the Next.js API proxy before being forwarded to the Rust API.

implemented

Parameterized database access

Rust API data access uses parameter binding through sqlx. Dynamic SQL string assembly is not used for application queries.

Data handling

What Arbor stores

The key operating principle: store product results, not long-lived source snapshots.

Stored

Account and GitHub metadata

Stored

Analysis results

Verdicts, paths, PR identifiers, timestamps, run metadata, and dashboard links.

Not stored as product data

Repository source snapshots

Repos are cloned for analysis work and should be treated as ephemeral worker data, not product data.

Not stored as product data

Payment card data

Card entry and payment processing are handled by Stripe. Arbor stores billing state, not raw card numbers.

Subprocessors

Third parties in the Arbor Cloud path

These vendors may process customer data when Arbor Cloud is used.

ProviderPurposeSafeguards

GitHubApp install, OAuth, repository metadata, webhooksGitHub terms and security program

VercelFrontend hosting and edge functionsManaged platform controls

RenderRust API, workers, and managed PostgreSQLManaged platform controls

StripeCheckout, subscriptions, invoices, and payment method handlingPCI DSS Level 1

SentryError and performance telemetry when configuredPII scrubbing configured in application code

Honest limits

What is not claimed yet

No badge theater. If something is not finished, it stays named here.

Formal certification

Not claimed yet. If we do not have an external report or signed agreement, we say that plainly.

Data deletion workflow

Handled case by case until the self-serve workflow ships.

Subprocessor packet

Architecture overview, subprocessors, and data flow notes are available on request.

Paid bounty

Responsible disclosure is active. A paid bounty program is not launched yet.

Vulnerability disclosure

Found a vulnerability? Tell us first.

Email security@getarbor.dev with reproduction steps. We acknowledge reports, triage them, and coordinate disclosure with researchers who act in good faith.

security@getarbor.dev security.txt