Scoped GitHub connection
Moxie uses GitHub App installs so your team chooses exactly which repositories a workspace can reach. It never sees the repositories you do not select.
Security
Moxie Docs connects to GitHub, reads the code in the repositories you select, generates documentation, exposes MCP-ready context, and opens docs-only pull requests when automation is enabled. It never commits to your code and never merges anything. Access stays scoped, credentials stay server-side, and every merge decision stays in your GitHub workflow.
Moxie uses GitHub App installs so your team chooses exactly which repositories a workspace can reach. It never sees the repositories you do not select.
Moxie proposes documentation as pull requests on their own branch. It never pushes to your branches and never merges anything, so your team controls every merge.
GitHub access tokens are minted on demand for a single set of API calls and then discarded. They are never written to our database. MCP tokens you create are encrypted at rest.
All traffic runs over TLS, and stored data, including indexed content and generated docs, is encrypted at rest by our infrastructure providers.
AI requests are assembled server-side from small, focused excerpts rather than your whole repository. Under our AI provider's API terms, your code is not used to train or improve their models.
The indexer skips common secret files, environment files, generated assets, dependency folders, binaries, and any paths excluded by your repository rules.
Workspace roles control who can reach repository docs, MCP context, settings, billing, and admin tools. Each workspace's data is isolated to its own organization.
Delete a repository or your entire account from settings and its indexed content, embeddings, and generated docs are removed. You can also pause automation at any time.
Webhook processing, indexing jobs, authentication, billing, and automation record operational events for debugging and internal audit trails.
Capabilities
The GitHub connection is scoped to a narrow job: read the repos you pick, and propose docs as pull requests you review.
Security FAQ
The questions teams and security reviewers ask most before connecting a private repository.
If you believe you have found a security vulnerability in Moxie Docs, please email contact@moxiedocs.com with steps to reproduce. We acknowledge reports as quickly as we can, investigate every submission, and will keep you updated on remediation. This program is also published at /.well-known/security.txt.
In scope: the Moxie Docs web app and API at moxiedocs.com, our GitHub App, our MCP server, and our Slack integration. We support good-faith research and will not pursue or support legal action against researchers who follow this policy, avoid privacy violations and service disruption, and give us reasonable time to fix an issue before public disclosure. We do not currently run a paid bug-bounty program.
Our privacy policy, terms, and current subprocessor list cover data handling, retention, and the providers we use to run the service.
Contact
Email contact@moxiedocs.com for security questions, a data processing agreement, deployment plans, or a guided first-repo test.