At Signadot, we follow best practices around privacy and security that are constantly kept up to date through routine security audits and well documented procedures around handling of security issues.


Signadot uses TLS for all networking in and out of our service including from the browser to our API and from the API to your Kubernetes cluster, and all other points of communication.

Data Storage

We store metadata about your GitHub pull requests to power Signadot Workspaces including:

  1. References to GitHub Data: repository, org and branch.
  2. References to cluster data: Workspace objects and metadata about docker image names and tags.

All of this information is stored in an encrypted relational database. In terms of credentials for Signadot, we store API Keys that provide access to Signadot's API and Cluster Tokens for registration of Kubernetes clusters.


The following is information regarding the data that we access from integrations.




Signadot does not request or require permissions to access source code. The only information requested is metadata around creation and deletion of pull requests and commit statuses in order to perform lifecycle management of workspaces.

Signadot performs authentication and authorization of users using the Signadot GitHub Application. The application itself requires the following permissions:

  • Read access to metadata & pull request metadata - used for checking org memberships and for detecting new pull requests and triggering actions in response to open / close events.
  • Read / write access to commit statuses - used for updating status of pull requests with information about Signadot workspaces corresponding to the it.


The minimal required Kubernetes RBAC permissions to function are requested during the installation of the operator. Pod logs are streamed securely over the
TLS encrypted tunnels and not stored in any way.

Signadot uses helm to install a cluster agent as part of the Signadot Operator on a Kubernetes cluster. This agent connects securely using TLS encrypted TCP tunnels to the Signadot API Server to enable serving authenticated previews over *

Did this page help you?