DéjàDéjài
Security & privacy

Zero-Retention Architecture

Déjà is designed as a pass-through analysis layer. We hash your stack traces in memory and discard the raw payload immediately. We never store your source code.

No training on customer IPEphemeral raw processing (TTL)Tenant-isolated vaultsEncryption by default
Model policy
Privacy
No Generative Models (Legal Guarantee)

Our Terms of Service explicitly prohibit the training of generative AI models on customer data. Our 'Deterministic Matching' engine (Patent Pending) relies on hashing, not inference, eliminating the risk of model hallucination or data leakage.

Outputs are evidence-based artifacts (PR + diff that shipped), not generated remediation text.

Verify in Privacy Policy
Data lifecycle
Retention
Metadata Retention Only

Déjà minimizes retention by design. Raw incident payloads are used only to compute stable incident identity and to evaluate validation gates.

  • • Raw stack traces/log payloads are processed in memory and discarded immediately
  • • Only hashes and minimal metadata required for recall/validation are persisted
  • • Retained data is scoped to the customer tenant and purpose-limited
Example
incident_id = sha256(normalized_signal)
vault stores: incident_id + validated_fix_link
Isolation
Tenant
Customer vaults are isolated

Each customer has a logically isolated vault. Data does not mingle across tenants. Access is scoped by integration permissions and governed by tenant-level controls.

Per-tenant keysScoped tokensAudit trails

Vault architecture

High-level data flow showing minimization, hashing, and tenant isolation.

Integrates with Sentry/Datadog + GitHub/GitLab
Customer systems
Sentry / Datadog
GitHub / GitLab
CI/CD

Access is granted via scoped OAuth tokens or app installations. Permissions are limited to what is required for operation (least privilege).

Déjà processing
Normalize
Stabilize paths, remove noisy fields, preserve invariants.
Hash
Compute incident identity (e.g., SHA-256 over normalized signal).
Payload Destruction
Raw stack traces and incident payloads are discarded immediately after hashing.
Validate
File/rate/duration gates determine recall eligibility.

Raw payloads are not retained; processing is ephemeral (TTL: immediate discard).

Customer vault (tenant)
Isolated storage
Stores stable incident identity + validated links to shipped fixes. No global sharing.
Tenant controls
Access policies, encryption keys, audit logging, and integration governance.

Retention is purpose-limited. Where temporary text is required for normalization/validation, it is processed ephemerally and discarded immediately.

Security controls overview

The controls below summarize our approach across confidentiality, integrity, and availability. Specific implementations may vary by deployment configuration.

Data protection
  • Encryption in transit (TLS)
  • Encryption at rest
  • Tenant isolation boundaries
  • Least-data retention (TTL: raw payloads discarded immediately)
  • Audit logging for sensitive actions
Access & operations
  • Least-privilege access controls
  • Scoped integration tokens (OAuth/app installs)
  • Change management and deployment controls
  • Incident response procedures
  • Ongoing dependency and vulnerability management
Compliance

Compliance-Ready Design

Déjà's infrastructure is built on AWS GovCloud standards, with encrypted-at-rest data vaults and single-tenant logical isolation. We support rigid Data Processing Agreements (DPAs) and immediate 'Right to be Forgotten' execution.

Readiness → Audit
Phase 1
Control foundations

Policies, access governance, logging, evidence collection, and risk review.

Phase 2
Readiness assessment

Controls testing, remediation, and auditor-aligned readiness reporting.

Phase 3
Third-party audit

SOC 2 Type I, followed by Type II based on customer timelines and operating period.

During evaluation, we can provide a security overview, integration scopes, and retention behavior to support your internal review.

Download Security Architecture (PDF)

The Data We Do NOT Touch

Explicit boundaries on what we never ingest or store.

  • ×Source Code Repositories — We only read Metadata/SHAs.
  • ×PII / User Databases — We sanitize payloads instantly.
  • ×Environment Variables / Secrets

Security review ready.

We will walk your CISO through access scopes, retention policies, and architectural isolation. The goal is straightforward: prove Déjà is safe to connect.

Book Security ReviewView Privacy Policy

GDPR & CCPA Compliant