[ SYSTEM_DIRECTORY / PRIVACY_POLICY — GOVERNANCE ]

Privacy Policy — Governance

Our commitment to code-native security and metadata-only telemetry.

+ + + +

Mima Governance is designed on a zero-retention foundation. We analyze codebase configurations and client import trees without ever storing or copying your proprietary source code or user prompt data.

[ §05 / GOVERNANCE_PRIVACY_LEDGER ]

The Governance Privacy Ledger

How we secure your repository data and telemetry at the architectural layer.

1. Source Code Protection

Mima connects via read-only GitHub OAuth. We scan repository packages and imports temporarily in memory to detect AI client calls. **We never store, write, or transmit your proprietary source code.**

[ ENFORCED BY: READ-ONLY OAUTH RULES ]
2. Metadata-Only Attestation

Attestation logs pushed via CLI or SDK are strictly limited to metadata (system ID, mapped compliance control, timestamp, reviewer identity). **No raw prompt data, model weights, or user payloads are ever ingested.**

[ ENFORCED BY: METADATA SCHEMAS ]
3. Local PII Anonymization

Any personal identity markers (such as reviewer emails or local developer IDs) are hashed cryptographically on the client machine before being pushed to the ledger.

[ ENFORCED BY: LOCAL SHA-256 HASHING ]
4. Absolute Cache Isolation

All organization records, scan caches, and logs are logically partitioned by workspace ID at the database layer, ensuring no cross-tenant leaks.

[ ENFORCED BY: TENANT ROW-LEVEL SECURITY ]
[ Architecture Rule ]

"Security by design means we do not ask you to trust us with your code. We only trust what we can mathematically prove."

[ Attestation Standards ]
GDPR COMPLIANT BY DEFAULT
[ Target Frameworks ]

EU AI Act (Art. 9/13/14)
ISO 42001 (A.6)
SOC 2 Type II (Trust Principles)