How does Exceeds work with SCM data?

Last updated: February 19, 2026

How Exceeds Works With Your Code

Exceeds analyzes your engineering team's development patterns to surface actionable insights — without storing your source code. This page explains how we connect, what data we access, how we process it, and how we protect it.

Connecting Your Repositories

Exceeds integrates through your existing source control platform using standard OAuth authentication. (Additional SCIM and Okta options available for Enterprise customers)

Supported platforms: GitHub and GitLab

An admin on your team authorizes the connection and selects exactly which repositories Exceeds can access. We never get blanket access to your organization — you choose the repos, and you can revoke access at any time from your SCM's settings.

What permissions do we request?

We request read-only access to repository contents and metadata. We request read/write access only to PRs to enable future functionality to share code quality insights in the review process for customers who opt-in to the feature. We do not request write access to the repo, and Exceeds will never push code, open pull requests, or modify your repositories in any way.

What Data We Access

Exceeds works with two types of information from your repositories:

Commit Metadata

This is the primary data Exceeds uses, and the only data we persist. Commit metadata includes:

  • Commit hash (unique identifier)

  • Author name and timestamp

  • Commit message

  • Files changed, lines added, and lines deleted

This metadata powers the majority of our analysis — team velocity, work patterns, review cycles, and contribution trends. At the initial repo analysis, we temporarily clone code for transient processing to capture metadata and index for future reference. This is not persisted.

Code Content (Temporary, On-Demand)

For deeper analysis (such as understanding code complexity or review quality), Exceeds may temporarily retrieve small code snippets from your repository via your SCM provider's API. These snippets are:

  • Fetched only when needed for a specific analysis

  • Processed in memory and immediately discarded

  • Never written to disk or stored in our database

The raw code is gone the moment the analysis completes. Only the AI-generated insight is retained — never the underlying source material. As new commits are made, they are analyzed via the SCM's API in memory, processed and discarded.

How This Compares to Other Developer Tools

If your team uses AI coding assistants like Cursor, Copilot, or Claude Code, those tools typically have direct, continuous access to your full local codebase — they can read any file in real time and often have write access too. Exceeds is more conservative than that.

Exceeds connects remotely through your SCM provider's API, accesses only the repositories an admin selects, and primarily works with commit metadata rather than code. When we do retrieve code, it's small snippets fetched on-demand and discarded after analysis — not a persistent connection to your file system.

In short: tools like Cursor, Copilot and Claude Code are like a developer sitting at your workstation. Exceeds is closer to a read-only analyst reviewing your git history, with occasional temporary access to code that's discarded the moment analysis completes.

How We Process Your Data

When Exceeds performs deeper analysis, code snippets are sent to enterprise-grade AI models for processing. Here's what matters:

  • No training on your data. Our AI provider agreements explicitly prohibit the use of customer data for model training. Exceeds has DPAs with all of our sub-processors and specifically the LLMs we work with.

  • Enterprise API access. We use enterprise-tier API endpoints with enhanced data protection, not consumer-grade services. Enterprise customers can also BYOK for added control.

  • Ephemeral processing. AI providers process the request and return results. Your code is not logged or retained on their side.

  • Insights only. What comes back from the AI model is a structured insight — a summary, a pattern, a recommendation. The raw code that informed it is never stored by Exceeds or our AI providers.

What We Store (and What We Don't)

Stored

Not Stored

Commit metadata (hash, author, timestamp, message, file paths, line counts)

Source code or file contents

AI-generated insights and analysis results

Code snippets used during analysis

Your team and repository configuration

Credentials or access tokens (managed by your SCM provider via OAuth)

Your source code passes through our system transiently during analysis and is never persisted. Our database contains metadata and insights — not code.

Security & Compliance

Access Controls

  • Admin-gated setup. Only an admin on your team can authorize the connection and select repositories.

  • Granular repo selection. You choose exactly which repositories to connect. No org-wide scanning.

  • Revocable at any time. Disconnect Exceeds from your SCM provider's settings, and access is immediately terminated. For GitLab specifically, admins need to remove webhooks in projects connected to Exceeds.

Data Protection

  • Encryption in transit and at rest. All data moves over TLS 1.2+.

  • No code persistence. Source code is never persisted in our systems — not in databases, not in logs, not in backups.

  • Minimal data footprint. We store only what's needed: commit metadata and generated insights and indexes to refer to snippets on demand.

For High-Security Environments

For organizations with strict data residency or air-gapped requirements, we offer an in-SCM processing option or fully hosted options where analysis runs within your own infrastructure. Contact us to discuss your specific security requirements.

Frequently Asked Questions

Can Exceeds modify our code or repositories? No. We request read-only access and have no ability to push commits, open PRs, or alter your code in any way.

Does Exceeds see all our repos automatically? No. An admin explicitly selects which repositories Exceeds can access during setup. Unselected repos are invisible to us.

Is our code used to train AI models? No. Our agreements with AI providers explicitly prohibit using customer data for training. Your code is processed ephemerally and discarded.

What happens if we disconnect Exceeds? OAuth access is revoked immediately. We retain the commit metadata and insights generated during your subscription, but we can no longer access your repositories. You can request full data deletion at any time.

Can we get a SOC 2 report or security questionnaire? Yes. Contact us at security@exceeds.ai for our latest security documentation or view our Trust Center.

What if our security team needs more detail? We're happy to walk your security or IT team through our architecture in detail. Reach out to security@exceeds.ai and we'll schedule a technical deep-dive.