If your security team is concerned about sharing source code with third-party analytics tools, the metadata-only approach solves this. Velocinator delivers deep engineering insights while never accessing your intellectual property.
When we tell engineering leaders we can measure their team's productivity, the first question is usually: "What data do you need access to?"
It's a fair question. Your source code is your company's intellectual property. It's the product of years of work, contains trade secrets, and is often your primary competitive advantage. Handing it over to a third-party analytics tool is a non-starter for most security teams.
Here's our answer: We never need to see your code.
What We Collect
Velocinator operates on metadata only. Here's exactly what we pull from your integrations:
From GitHub/GitLab
- PR numbers, titles, and timestamps
- Commit messages (first 500 characters only)
- Author usernames
- Line counts (additions, deletions)
- Review approval/rejection status
- Repository names
- Release tags and timestamps
From Jira
- Issue keys and titles
- Status and status change timestamps
- Story points
- Sprint assignments
- Assignee usernames
What We Never Collect
- Source code or file contents
- Code diffs or patches
- Review comment content
- Issue descriptions or detailed comments
- File paths beyond repository structure
- Secrets, tokens, or credentials
Why Metadata Is Enough
You might wonder: Can you really measure engineering productivity without seeing the code?
Yes. Here's why.
Cycle Time Doesn't Need Code
PR cycle time—from first commit to merge—is calculated entirely from timestamps. We know when the first commit landed, when the PR was opened, when reviews happened, and when it merged. The code itself is irrelevant to this calculation.
Activity Patterns Are In The Timestamps
GitHub activity heatmaps, commit frequency, and review turnaround are all derived from when events happened, not what was in them.
Line Counts Tell The Story
To understand code churn and PR size, we only need to know: How many lines were added? How many were deleted? We don't need to see which lines.
Jira Gives Context
Story points, sprint assignments, and issue status let us connect coding activity to planned work. We don't need the full issue description to know that PROJ-123 moved from "In Progress" to "Done" on Tuesday.
The Security Implications
By operating on metadata only, we dramatically reduce our attack surface—and yours.
If We're Breached
In the worst-case scenario, an attacker who compromises Velocinator would learn:
- Your team's GitHub usernames
- PR titles and timing
- How fast your team reviews code
They would NOT learn:
- How your authentication system works
- What vulnerabilities exist in your codebase
- Any trade secrets or proprietary algorithms
Compliance Is Simpler
For teams with SOC 2, HIPAA, or other compliance requirements, metadata-only collection is much easier to justify. There's no code exfiltration risk to document in your security review.
Read-Only, Minimal Permissions
Our GitHub OAuth integration requests only the permissions we need: repository metadata and PR information. We don't ask for write access. We can't push code, modify PRs, or access your secrets.
But What About AI Insights?
You might think: "If you're using AI to analyze our productivity, doesn't the AI need to see the code?"
No. Our AI-powered insights analyze patterns in the metadata:
- "This PR has been open for 5 days with no reviews" doesn't require code
- "Developer A's cycle time increased 40% this sprint" is a timestamp calculation
- "Team B has 3 PRs over 1000 lines—consider breaking them down" uses line counts only
We can identify risky PRs, detect bottlenecks, and surface trends without ever reading a line of your actual source code.
Trust, But Verify
We've written about our security practices here. But you shouldn't just take our word for it.
Review our OAuth permission scopes when you connect. Check your GitHub organization's third-party access logs. Our integration will show exactly what endpoints we're calling and what data we're receiving.
Engineering productivity matters. But not at the cost of your intellectual property. With Velocinator, you don't have to choose.
Frequently Asked Questions
- Does Velocinator access my source code?
- No. Velocinator uses a metadata-only approach. We analyze commit metadata (timestamps, file names, line counts), PR metadata (comments, approvals, timelines), and Jira metadata (status changes, assignees). We never read, store, or process your actual source code.
- How can you measure engineering productivity without reading code?
- Most productivity signals come from metadata: when commits happen, how long PRs take to review, how tickets flow through your workflow. These patterns reveal bottlenecks, collaboration health, and delivery speed without needing to see a single line of code.
