Metadata control plane, not code custody.
ReviewRouter is designed as a metadata control plane. It keeps setup, model settings, health, and audit state in SaaS while repository code, provider credentials, and review execution stay in customer GitHub Actions by default.
Review execution stays in customer CI by default.
ReviewRouter SaaS stores metadata needed for setup, config, health, audit, and support diagnostics. Provider credentials and review workloads stay in GitHub Actions or a trusted customer runner.
What the SaaS may store
- GitHub account login, avatar URL, and GitHub user id after sign-in
- workspace, installation, repository, and selected-repository metadata
- workflow setup PR URLs, action refs, config versions, and safe health summaries
- audit events for setup, config, support diagnostics, and operational actions
What should not enter the SaaS
- repository source code
- pull request diffs, prompts, or model responses
- Codex auth.json, Claude Code OAuth tokens, OpenAI API keys, or OpenRouter keys
- raw GitHub webhook payload bodies after normalization
Beta metadata is retained only for setup, audit, support, and health operations. A published retention window belongs in the production legal package.
Uninstalling the GitHub App stops future access. Workspace metadata deletion should be requested through quantjumppro@gmail.com until an owner self-serve deletion flow exists.
Hosted beta uses the production hosting, database, and GitHub integration stack. A formal subprocessor list belongs in the production legal package.