Security & Privacy

Do you ingest our source code? What data does Multitudes get?

No, our app does not ingest your codebase – instead, we look at code metadata from GitHub. This metadata includes information about pull requests (such as when they were created, who the author was, commits made on the pull request, number of lines changed, etc.) and about comments (including comments written on pull requests and reviews submitted). We also pull in the contents of comments and reviews. When you set up the GitHub installation, you can see the full list of permissions that Multitudes requests.

For Github Actions, we ask for read-only access to Deployments and Environments to get events on a deployment and so we can determine which deployment environments you have set up for each repository. This gives us access to list Deployment Environments in GitHub's REST API as described here as well as the ability to subscribe to deployment events as described here.

Note that this does not grant us access to secrets or variables contained in your environments, as per GitHub's documentation on Secrets: GitHub Apps must have the secrets permission to use these endpoints. This is something Multitudes would never require or ask customers for.

How safe is our data?

We keep your data secure by using the latest cloud technologies and security principles. All data is encrypted at rest and in transit, with strict access control as to who can see what data. We only store the minimum data that we need to provide insights for you and your team.

For more information, check out our Security page.

How will this protect the privacy of GitHub users and my team?

Most of the data that Multitudes shows is already visible to team members; Multitudes aggregates the information and shows it in new ways.

Multitudes may show individual insights about Collaboration and Wellbeing because those insights are useful for supporting individuals. However, Multitudes limits the detail it shows about performance by aggregating this data so it’s not shown by individual. This is because PRs are a team sport, so it’s important to focus on team performance over individual performance. We do this both to protect the privacy of individuals and to discourage users from making reductive decisions using Multitudes (since Multitudes is only one measure of a team member's contributions to a team).

For more information, please see the latest privacy policy on the Multitudes website here.

Who can see my individual performance data?

Our data ethics principles guide us to use data to empower teams – to support them to make better decisions for themselves. Code is a team sport, and a 10x team is far more important than a lone 10x developer. That’s why we don’t show individual performance metrics – because they’re not the outcome we need to solve for. (If you’re curious, this blog post shares more about what we measure and why.)

We know that it’s tempting to look for a quick or “simple” answer on how team members are contributing – but unintended consequences are a reality. Individual performance metrics often encourage people to game the numbers or make overall simplistic inferences about performance. Both of those contribute to a broader environment where people optimize for themselves instead of for the team – the opposite of the outcome we want. The result of this can be detrimental to delivering against business goals and customer value. This is also why our app encourages and even suggests questions to explore with the team to get more context on the data.

The only time we do show individual metrics is when they meet our data ethics principles – specifically, that the likelihood of using the metric to support people is higher than the likelihood of it being used to harm. Wellbeing and collaboration metrics like Review Wait Time, Out-of-Hours Work, or PR Feedback Given  show who’s waiting too long for feedback, who’s at risk of burnout, and who’s doing the glue work to support others on the team (respectively).  

We do regular reviews of new features against our data ethics principles, and we welcome feedback on our approach – so feel free to get in touch if you have thoughts!

Can I (as an individual team member) opt out? 

Yes, you can. Just email and we’ll take care of that for you. If you opt out, we won’t show your individual data in the Multitudes app and you’ll no longer have access to the app.

For teams where one person wants to opt out, we do recommend that the whole team have a conversation about whether they should be using Multitudes. Our goal is to support team collaboration, and so we think it's best that the team make a unified decision about whether or not to use our product.

What will you do with our data if we cancel our plan?

If your organization cancels your plan, we will keep your data for 30 days. After that, we will delete all data for your organization. 

Can’t find what you are looking for?

Contact us