Skip to main content


At Signadot, we follow best practices around privacy and security that are constantly kept up to date through routine security audits and well documented procedures around handling of security issues.


Signadot uses TLS for all networking in and out of our service including from the browser to our API and from the API to your Kubernetes cluster, and all other points of communication.

Data Storage

Signadot minimizes storage of identifying information. We do not store API keys or cluster tokens, rather hashed values of them together with a masked value for display. We no longer store metadata about GitHub pull requests, except in deprecated APIs. We do, however store references to in-cluster data, namely the CRDs the Signadot Operator creates and manages, and, by extension, the fields in those CRDs which make reference to in-cluster data such as workload names and docker images.

Any information we do store is placed in an encrypted relational database.


The following is information regarding the data that we access from integrations.


The minimal required Kubernetes RBAC permissions to function are requested during the installation of the operator. Pod logs are streamed securely over the TLS encrypted tunnels and not stored in any way. For detailed documentation on the Kubernetes RBAC permissions, refer to Kubernetes Permissions.

Signadot uses helm to install a cluster agent as part of the Signadot Operator on a Kubernetes cluster. This agent connects securely using TLS encrypted TCP tunnels to the Signadot API Server to enable serving authenticated previews over *