Security
Last updated: October 26, 2025
Vendor summary
| Category | Vendor | Data handled |
|---|---|---|
| Edge & networking | Cloudflare | Request metadata for routing, WAF, and DDoS protection |
| Application runtime | Fly.io | Application services, secrets, deployment logs |
| Database | Neon | Postgres records with encryption at rest and PITR |
| AI inference | OpenAI | Prompts and responses with no training usage |
| AI observability | Langfuse | Prompt metadata and metrics |
| Crawl automation | Firecrawl | Public web pages fetched for evaluation |
| Background jobs | Trigger.dev | Scoped workflow payloads for background jobs |
| Vector storage | Turbopuffer | Obfuscated embeddings and hashed identifiers |
| Web search | Exa | Generated search queries only |
| Monitoring | Sentry | Sanitized error traces (90-day retention) |
| Product analytics | Posthog | Aggregate usage events without source code |
| Billing | Stripe | Payment instruments, invoices, and tax details |
Codebase indexing
Mistle never persists raw source code on our servers. The desktop app scans the repository you open and computes a hashed Merkle snapshot so it can detect changes without re-uploading every file. Files matched by your .gitignore, our default denylist (binaries, build artefacts, env files, large binaries), or size limits are ignored. Only chunk identifiers, hashes, and metadata land in the app’s local SQLite cache; plaintext code remains in memory just long enough to encrypt and stream it.
For remote processing we stage the current chunk set in an encrypted Cloudflare R2 bucket that is purged automatically. Background jobs use the staged data to generate summaries with OpenAI, derive embeddings, and store the summaries plus metadata in Turbopuffer—never the source text itself. Postgres tracks project-level pointers (root hashes, doc IDs, branch info, last-sync timestamps) so we can diff future syncs and handle branch deletion without needing the code. Incremental updates send only changed files, and periodic validation reconciles remote metadata with the local Merkle tree.
When you query the codebase we embed the question (again via OpenAI), run a vector search, and return summaries with file and line references. If the UI needs exact code, it reads from your local filesystem instead of any server store. Staged chunk artefacts exist at most 24 hours or until the next sync, after which the encrypted bucket is cleaned up.
Contact & disclosure
Please send questions and responsible disclosure reports to security@mistle.dev.