Third-Party Services
Last updated: March 9, 2026
Ridge Sight integrates with a number of third-party services to provide its functionality. This document describes each service, what data is shared with it, and why. It supplements our Terms of Service, Subscription & Billing Agreement, and AI Data Processing documentation.
1. GitHub
Purpose: Authentication, repository data, pull request management, and webhooks.
Packages: @octokit/app, @octokit/rest
Data Shared
- OAuth 2.0 authentication — when you sign in, you are redirected to GitHub's OAuth flow. GitHub returns an access token and your public profile information (username, avatar URL, GitHub user ID). We store a hashed session token and your GitHub user ID; your access token is encrypted at rest using AES-256-GCM.
- Repository and pull request data — we read repository metadata, open pull requests, pull request comments, timeline events, CI status, conflict information, and file change summaries using your access token and/or GitHub App installation tokens. This data is fetched on-demand and is not bulk-stored.
- Write operations (Premium) — if you use premium features such as in-app merging, commenting, branch updating, or marking PRs as ready for review, we send the corresponding write requests to GitHub's API on your behalf.
- Webhooks — GitHub sends webhook events (pull request opened/closed/updated, check suite completed, installation changes) to our server. These events contain repository and pull request metadata. We verify webhook signatures using HMAC-SHA256 before processing.
Data Retention
GitHub access tokens and refresh tokens are stored encrypted in our database for the duration of your session. We do not retain repository source code, file contents, or commit diffs.
2. Neon (PostgreSQL)
Purpose: Primary database for all application data.
Package: @neondatabase/serverless
Data Shared
- User accounts — GitHub user ID, GitHub username, and avatar URL.
- Sessions — SHA-256 hashed session tokens, creation and expiry timestamps.
- Encrypted tokens — GitHub access tokens, refresh tokens, Slack webhook URLs, and Pushover API keys are stored encrypted (AES-256-GCM). The database stores only the ciphertext.
- Application state — selected repositories, saved/dismissed pull requests, shared view configurations, team preferences, notification settings, AI insight cache, plan/subscription metadata, and usage counters.
Data Retention
Neon hosts the database where all persistent application data resides. Data is encrypted at rest by Neon. Row-level security (RLS) policies enforced at the database level ensure users can only access their own records. Automated cleanup processes remove expired sessions, stale counters, and old dismissed PRs on a regular schedule.
3. Stripe
Purpose: Payment processing, subscription billing, and usage-based AI metered billing.
Package: stripe
Data Shared
- Customer creation — when you subscribe to Premium, a Stripe customer is created with your internal user ID and GitHub username as metadata. We intentionally do not pass your email address — all PII stays exclusively in Stripe.
- Subscription management — Stripe processes your payment method, billing address, subscription lifecycle (creation, renewal, cancellation), and invoicing. None of this billing data touches our database.
- Metered AI billing — usage-based charges for premium AI model calls are reported to Stripe as metered usage records (quantities only, no prompt content). Stripe adds these to your invoice.
- Credit Grants — when you purchase a prepaid credit pack, a Stripe Credit Grant is created on your customer record. The grant is scoped to metered AI usage and includes only the credit amount, expiration date, and internal identifiers (user ID, pack ID). No prompt content or PII is included in grant metadata.
- Webhooks — Stripe sends webhook events to our server for subscription status changes (completion, cancellation, renewal). We verify webhook signatures before processing.
- Customer Portal — the "Manage Plan" button redirects you to Stripe's hosted Customer Portal where you can update payment methods, view invoices, and download receipts. This is entirely hosted by Stripe.
Data Retention
We store only the opaque Stripe customer ID, subscription ID, and Credit Grant IDs in our database to correlate webhook events and credit top-up purchases with your account. All payment information, billing addresses, invoices, and receipts are retained exclusively by Stripe.
4. Vercel
Purpose: Application hosting, serverless edge functions, and deployment infrastructure.
Data Shared
- HTTP requests — all requests to Ridge Sight pass through Vercel's edge network. Vercel processes standard HTTP metadata (IP address, headers, request path) as part of serving the application.
- Serverless function execution — our API routes run as Vercel serverless functions. Vercel provides the compute environment but does not inspect or retain the application data processed within functions.
5. Vercel Analytics
Purpose: Privacy-friendly web analytics to understand usage patterns and improve the product.
Package: @vercel/analytics
Data Shared
- Page views and web vitals — Vercel Analytics collects anonymized page view data and Core Web Vitals performance metrics (LCP, FID, CLS). It does not use cookies or track individual users across sessions.
- No PII — Vercel Analytics is designed to be privacy-friendly and does not collect personally identifiable information, IP addresses, or user agent fingerprints for tracking purposes.
6. Vercel AI Gateway
Purpose: Routes AI inference requests to model providers under a Zero Data Retention (ZDR) policy.
Packages: @ai-sdk/openai, ai (Vercel AI SDK)
Data Shared
- Pull request metadata — when you request an AI insight, a prompt is constructed containing only PR metadata: repository name, PR number, title, author, draft status, change statistics, conflict status, stale days, top changed file paths, and the PR body/description. No source code or file contents are ever sent.
- Model selection — your chosen model ID is sent to the gateway to route the request to the appropriate provider.
Data Retention
The Vercel AI Gateway exclusively routes requests to model providers operating under a Zero Data Retention policy. No data you send through Ridge Sight's AI features is stored, logged, or used for model training by the AI model providers. Data exists in the provider's infrastructure only for the duration of the inference request and is discarded immediately after the response is generated.
For full details, see our AI Data Processing documentation.
Vercel AI Gateway Documentation
7. AI Model Providers (via Vercel AI Gateway)
Purpose: Large language model inference for pull request risk analysis and insights.
All AI model providers are accessed exclusively through the Vercel AI Gateway and operate under Zero Data Retention agreements. The following providers may process your PR metadata depending on which model you select:
| Provider | Models Available | Privacy Policy |
|---|---|---|
| Mistral AI | Ministral 3B (included model) | Privacy Policy |
| TogetherAI | Qwen 3 Coder (default gateway model) | Privacy Policy |
| DeepInfra | Llama 3.1 8B, DeepSeek V3.2 | Privacy Policy |
| Fireworks AI | Kimi K2, GPT-OSS 120B | Privacy Policy |
| Amazon Bedrock | Qwen 3 Coder 30B A3B | Privacy Policy |
| Anthropic | Claude Haiku 4.5, Claude Sonnet 4.6, Claude Opus 4.6 | Privacy Policy |
You choose which model processes your data. You can switch models at any time. Data sent to any of these providers is limited to PR metadata only and is subject to the Zero Data Retention policy described in Section 6.
8. Slack
Purpose: Optional notification delivery for PR digest alerts.
Data Shared
- Digest summaries — if you configure a Slack webhook, Ridge Sight sends notification digests containing aggregated alert counts (e.g., "New PRs: 3, Failing CI: 1, Stale PRs: 2"). Messages include alert category labels and counts only — no repository names, PR titles, or source code.
- Webhook URL — you provide a Slack incoming webhook URL. This URL is encrypted at rest (AES-256-GCM) in our database and is only decrypted server-side at the moment of delivery.
Data Retention
Slack retains delivered messages according to your Slack workspace's retention policies. Ridge Sight does not store delivered message content after sending.
Opt-in only — Slack notifications are never enabled by default. You must explicitly configure a webhook URL to activate them.
9. Pushover
Purpose: Optional push notification delivery for PR digest alerts.
Data Shared
- Digest summaries — if you configure Pushover credentials, Ridge Sight sends notification digests containing alert counts and a link to view pull requests. Messages include alert category labels and counts only.
- API credentials — you provide a Pushover user key and application token. Both are encrypted at rest (AES-256-GCM) in our database and are only decrypted server-side at the moment of delivery.
Data Retention
Pushover retains delivered notifications according to their own retention policies. Ridge Sight does not store delivered message content after sending.
Opt-in only — Pushover notifications are never enabled by default. You must explicitly configure your credentials to activate them.
10. Sentry
Purpose: Error monitoring and performance tracking for application reliability.
Package: @sentry/nextjs
Data Shared
- Error reports — when an unhandled exception or API error occurs, Sentry receives the error message, stack trace, request URL, HTTP method, response status code, and runtime environment (Node.js version, Vercel region). No user PII, access tokens, or request/response bodies are included.
- Performance traces — a 10% sample of requests includes timing data (route, duration, status code) for performance monitoring. No request payloads or user-identifiable data is included in traces.
- Browser errors — if a client-side DSN is configured, browser JavaScript errors are reported with the error message, stack trace, browser/OS metadata, and page URL. No cookies, local storage data, or user inputs are captured. Session replays are disabled by default.
Data Retention
Sentry retains error events for 90 days by default (configurable in the Sentry project settings). Performance data is retained for 90 days. Sentry is a data processor under GDPR and offers a Data Processing Addendum (DPA). Source maps may be uploaded during builds to enable readable stack traces; these contain only minified code mappings, not application data.
Opt-in only — Sentry is disabled unless the SENTRY_DSN environment variable is configured. When disabled, no data is sent to Sentry.
Summary Table
| Service | Required? | Data Category | User Control | Transfer Mechanism |
|---|---|---|---|---|
| GitHub | Yes | Auth, repo & PR metadata | Revoke GitHub App installation | EU SCC |
| Neon | Yes | All stored application data | Delete account removes all data | EU SCC + SOC 2 |
| Stripe | Premium only | Payment & billing | Manage via Stripe Customer Portal | EU SCC + PCI DSS |
| Vercel | Yes | HTTP request metadata | Infrastructure provider | EU SCC |
| Vercel Analytics | Yes | Anonymized page views & web vitals | No PII collected; no cookies | EU SCC (via Vercel) |
| Vercel AI Gateway | Premium only | PR metadata (no source code) | Opt-in per PR; choose model | EU SCC (via Vercel) + ZDR |
| AI Model Providers | Premium only | PR metadata (ZDR policy) | Choose provider via model selection | EU SCC via Gateway + ZDR |
| Slack | Optional | Alert digests (counts only) | Opt-in; remove webhook to disable | EU SCC |
| Pushover | Optional | Alert digests (counts only) | Opt-in; remove credentials to disable | EU SCC |
| Sentry | Recommended | Error reports & performance traces | Disabled unless SENTRY_DSN is set | EU SCC + DPA |
EU SCC = EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). ZDR = Zero Data Retention — data is not stored or used for model training. SOC 2 = Service Organization Control Type 2 compliance. PCI DSS = Payment Card Industry Data Security Standard. For our full Data Processing Agreement, see the DPA.
Changes to This Document
We will update this document whenever a new third-party service is added to Ridge Sight or when the data shared with an existing service materially changes. The "Last updated" date at the top of this page reflects the most recent revision.
Contact
For questions about our third-party integrations or data sharing practices, please contact us at Jay(@)chkdsklabs.io or open an issue on our GitHub repository.