Security Practices

We take the security of customer data very seriously at Greptile. If you have additional questions regarding security, we are happy to answer them. Please write to security@greptile.com and we will respond as quickly as we can. The Security Practices page describes the administrative, technical and physical controls applicable to Greptile.

Hosting and Architecture

Greptile is available as either a cloud-based or on-prem ("bring-your-own-cloud") service.

Cloud-based (hosted) services

This infrastructure for Greptile is provided and hosted by Amazon Web Services, Inc. ("AWS"). Information about security provided by AWS is available from the AWS Security website. Information about security and privacy-related audits and certifications received by AWS, including information on SOC reports, is available from the AWS Compliance website.

In addition to AWS, Greptile uses vector database services from Lantern Systems, Inc.

Greptile uses services from Helicone, Inc. for monitoring and observability into the LLM inference. Self-hosted Greptile does not have Helicone monitoring by default. Information about their security practices can be found on the Helicone Privacy page.

Lastly, Greptile's cloud-based version uses OpenAI's API platform for AI inference. Information about their security practices can be found at the OpenAI Enterprise Privacy page.

On-premises (self-hosted) services

For self-hosted Greptile services, Custom Apps are hosted using your own infrastructure - such as on-premises - so that you and your users can build, run, and, use Greptile in your virtual private cloud (VPC) or behind your virtual private network (VPN). In provisioning a self-hosted account of the Greptile services, our self-hosted image is built with the latest upstream version of Amazon Linux (Greptile's base operating system image) with the latest security patches and updates.

Large Language Model (LLM) Inference

Customers that choose to self-host Greptile can choose to also self-host LLMs instead of using OpenAI's API Platform for inference. Customer can also "bring their own LLM" by inserting their own base URL and keys.

Storage of Customer Code

Greptile does not store customer code. Greptile may store vector embeddings of file paths, documentation, and AI generated docstrings in a vector database, but code is pulled on an 'as needed' basis from the customer's code hosting service, such as GitHub, and is only stored ephemerally for a few minutes at a time. Note that if the customer chooses to opt for the on-premises option, their code would not leave their servers or their provisioned cloud at all.

If the customer chooses to use the cloud-based version of Greptile, the ephemeral storage of code would occur on AWS services provisioned by Greptile.

Storage of Customer Data

Greptile stores logs of customer chats in an AWS DynamoDB database. Members of the Greptile team may access these chat logs in order to provide technical support. Customers can choose to turn off logging and make chats 100% private. Note that in the self-hosted service, logs are stored on customer servers only.

Confidentiality and Security Controls

Confidentiality

Greptile places strict controls over its employees' access to Customer Data. The operation of the Greptile requires that some employees have access to the systems which store or process this information and data.

For example, in order to diagnose a problem the customer are having with the Greptile services, we may need to access the customer's account. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to the customer account is logged.

All of our employees and contract personnel are bound to our policies regarding confidentiality and we treat these issues as matters of the highest importance within our company.

Return and deletion of customer data

Within 30 days post contract termination, the customer may request return of Customer Data stored by Greptile(to the extent such data has not already been deleted by the customer).

Greptile provides the option for administrators to delete all Customer Data stored by Greptile at any time during a subscription term. Within 24 hours of administrator-initiated deletion, Greptile hard deletes all Customer Data from currently running production systems. Greptile-maintained backups of services and data may be destroyed within 30 days (backups are destroyed within 30 days, except that during an on-going investigation of an incident such period may be temporarily extended).

Monitoring and Validation

Certificates

Greptile is SOC2 Type II compliant. Customers may download a copy of Greptile's SOC2 Type II report by reaching out to security@greptile.com.

At a minimum, Greptile will align with prevailing industry standards such as SOC 2 Type II, or any successor or superseding standard.

Audits

To verify that our security practices are sound and to monitor the Greptile services for new vulnerabilities discovered by the security research community, the Greptile services undergo security assessments by internal personnel, and for the Greptile services by respected external security firms who perform regular audits of the Greptile services. In addition to periodic and targeted audits of the Greptile services, we also employ the use of continuous hybrid automated scanning of our web platform. Customers may download a copy of available applicable external audit reports by reaching out to security@greptile.com.

Personnel

Greptile conducts background checks on all employees before employment, and employees receive privacy and security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of the Greptile services.

For any other questions, please feel free reach out to security@greptile.com, and we will get right back to you.