Skip to main content

Trust, SLA, and Security

This page summarizes the operational questions teams usually ask before connecting a repository: what Buzzbin can access, what it stores, and what security and reliability guardrails exist.

Repository access

Buzzbin needs a Project Access Token and webhook to review MRs. The token is used to read diffs and required files, then post review output back to GitLab. The full token is not returned in normal API responses. If it is rotated or revoked, you need to save the new value in Buzzbin.

Data retention

Buzzbin stores repository metadata, settings, runs, findings, costs, and review outputs needed for the product to work. It does not keep a permanent clone or a full source-history snapshot of your repository. Diffs and required files are processed for the review run.

For more detail, see Privacy and Data.

Webhooks and secrets

Each repository has a webhook secret so Buzzbin can distinguish trusted GitLab events from anonymous requests. If a GitLab webhook is disabled or removed, Buzzbin's health checks and repair paths try to re-enable or recreate it.

Reviewer agent limits

The review agent uses read-only review tools and defined review outputs. Its job is to inspect diffs and produce findings, summary, merge risk, and relevant answers. It is not intended to execute arbitrary code in your infrastructure.

Reliability and SLA

Reviews depend on the queue, GitLab, the AI model provider, and wallet balance. If one of these dependencies is unavailable, a job may be skipped, deferred, or failed, and its status is visible in the console. For enterprise accounts, specific operational commitments and SLA terms should be defined in the account contract.

Your team's responsibilities

  • Create tokens with the minimum required access.
  • Revoke compromised or outdated tokens and save replacement tokens promptly.
  • Keep Buzzbin and GitLab membership up to date.
  • Configure ignored paths and finding categories deliberately for sensitive repositories.

Trust boundary

Buzzbin is an assistant reviewer. Final merge, security approval, and release decisions remain with your team. Treat AI output like another reviewer's input: useful and actionable, but still requiring human judgment for sensitive changes.