Skip to main content


At Signadot, we follow best practices around privacy and security that are constantly kept up to date through routine security audits and well documented procedures around handling of security issues.


Signadot uses TLS for all networking in and out of our service including from the browser to our API and from the API to your Kubernetes cluster, and all other points of communication.

Data Storage

We store metadata about your GitHub pull requests to power Signadot sandboxes including:

  1. References to GitHub Data: repository, org and branch.
  2. References to cluster data: Sandbox objects and metadata about docker image names and tags.

All of this information is stored in an encrypted relational database. In terms of credentials for Signadot, we store API Keys that provide access to Signadot's API and Cluster Tokens for registration of Kubernetes clusters.


The following is information regarding the data that we access from integrations.


The minimal required Kubernetes RBAC permissions to function are requested during the installation of the operator. Pod logs are streamed securely over the TLS encrypted tunnels and not stored in any way. For detailed documentation on the Kubernetes RBAC permissions, please refer to Kubernetes Permissions.

Signadot uses helm to install a cluster agent as part of the Signadot Operator on a Kubernetes cluster. This agent connects securely using TLS encrypted TCP tunnels to the Signadot API Server to enable serving authenticated previews over *