What we read, what we don’t
Three integrations. Metadata only.
Sonar connects to Slack, GitHub, and your calendar. From each one we read a small set of structural facts — never the words inside.
- Slack
We see · Message timestamps, channel IDs (hashed), reaction events, message length, presence of thread or question mark.
We don’t · Message text. Attachments. DMs.
- GitHub
We see · PR open / merge / review events. File-count and line-count totals. CI status.
We don’t · Diff contents. Commit messages. Issue bodies.
- Calendar
We see · Meeting count. Duration. Attendee emails. Whether you accepted or declined.
We don’t · Event titles. Descriptions. Attachments. (Off by default.)
See the full per-source disclosure on /privacy. Each person on your team has a /me page where they can see exactly what was collected about them and turn off any source they want.
Built today
What’s shipped right now.
Encrypted in transit and at rest
Every connection uses TLS. OAuth tokens and other sensitive fields are sealed with AES-256-GCM at the application layer, with keys unique to each deployment.
Append-only audit log
Every admin action — inviting someone, connecting an integration, flipping the kill-switch, exporting data — is recorded with chained hashes. Even Sonar staff can't edit or delete entries without breaking the chain.
Org-wide kill-switch
Any workspace owner can pause Sonar instantly. All processing halts within minutes. Useful during a layoff, an investigation, or a regulatory request — when the right answer is "stop everything now."
Per-employee controls
Each person on your team has a /me page where they can pause data collection, turn off any one source (Slack / GitHub / Calendar), export everything we have on them, or trigger a 30-day-grace deletion. No support ticket required.
Tenant isolation
Customer data is isolated at the database level — not just enforced in application code. A bug in our query layer can't leak across organizations.
Webhook signature verification
Every inbound event from Slack, GitHub, Stripe, or our email provider is signed by them and verified by us. A five-minute freshness window blocks replay attacks.
Not done yet
What’s on the roadmap.
Honest list. We’d rather you decide with the gaps in front of you than discover them after a security review.
SOC 2 Type I report
Audit fieldwork is scheduled for Q3 2026. Until the report lands we won't claim Type I. Until Type II observation completes (Q3 2027 target) we won't claim Type II.
External penetration test
Scheduled for Q3 2026 alongside the SOC 2 audit. We run an internal red-team today; we don't have a third-party attestation yet.
Customer-managed keys (BYOK)
Per-deployment AES-256-GCM keys today. Customer-managed keys are a Q4 2026 item. If your security team needs them sooner, talk to us.
EU data residency
Primary infrastructure is US-only today; EU/UK transfers happen under SCCs Module 2. EU-resident infrastructure is on the roadmap but not committed to a date.
Public bug-bounty program
On the roadmap. Email security@sonarwork.com for responsible disclosure today — we respond inside one business day and credit reporters with permission.
Hard limits
What we’ll never do.
Not policy, not "we’d rather not." Each item below is enforced at the product or contract layer.
Read the contents of any message.
Sell or share customer data with anyone outside the disclosed subprocessors.
Train AI models on your data. (Anthropic doesn't either, per their commercial terms.)
Recommend firing, PIPs, or any adverse employment action. The brief composer rejects outputs that try to.
Send anything to HR. The brief is for the manager only.
Reporting a vulnerability
Found something? Tell us.
Email security@sonarwork.com. Response inside one business day. Critical fixes inside seven days. Public credit with your permission.
Last updated
Ready when you are
Now that you've read the security posture.
Try Sonar with your team. Free while we build with you. Direct line to the founder.
No card · Cancel any time