VelocinatorVelocinator
Business & Security6 min read

Why the 'Metadata-Only' Approach is the Future of Engineering Intelligence

January 24, 2026
Why the 'Metadata-Only' Approach is the Future of Engineering Intelligence — Business & Security article on engineering productivity

When we talk to enterprise security teams about engineering analytics, the first question is always: "What data do you need access to?"

It's the right question. Source code is intellectual property. It contains trade secrets, proprietary algorithms, and competitive advantages built over years. Handing that to a third-party vendor is a non-starter for any serious security organization.

Here's our answer: We don't need your source code. Ever.

The Metadata-Only Architecture

Velocinator operates exclusively on metadata—information about your code, not the code itself.

What We Collect

From GitHub/GitLab:

  • PR titles, numbers, and timestamps
  • Commit messages (truncated to 500 characters)
  • Author usernames and email hashes
  • Line counts (additions, deletions)
  • File paths (directory structure only)
  • Review events (approval, rejection, comment count)
  • Repository names and IDs

From Jira:

  • Issue keys and titles
  • Status transitions and timestamps
  • Story points and priority
  • Sprint assignments
  • Assignee information

What We Never Collect

  • Source code content
  • Code diffs or patches
  • Review comment content (just counts)
  • Issue descriptions or detailed comments
  • File contents of any kind
  • Secrets, tokens, or credentials

How This Enables Full Analytics

You might wonder: can you really provide meaningful engineering insights without seeing the code?

Yes. Here's why:

Cycle Time Needs Timestamps, Not Code

To calculate how long a PR takes from first commit to merge, we need:

  • First commit timestamp
  • PR opened timestamp
  • Review timestamps
  • Merge timestamp

The code content doesn't factor in at all.

Code Churn Needs Line Counts, Not Lines

To measure churn and rework, we need:

  • Lines added/deleted per commit
  • Which files were modified
  • When changes happened

We can identify "this file has been churning" without reading what's in the file.

Activity Patterns Are Timing-Based

When developers work, how work flows through teams, where bottlenecks form—all derivable from timestamps and counts.

Impact Scoring Uses Structure, Not Content

Our Impact Score considers:

  • File path complexity (deep nesting, critical directories)
  • Historical churn patterns
  • Cross-file coupling (inferred from change patterns)
  • None of which requires reading code

The Security Implications

Minimal Attack Surface

If Velocinator were ever breached, an attacker would learn:

  • Your team's GitHub usernames
  • PR titles and timing
  • Organizational structure (which teams exist)

They would NOT learn:

  • How your authentication works
  • What vulnerabilities exist in your code
  • Any proprietary algorithms or logic
  • Anything useful for a secondary attack on your systems

GDPR and Privacy Compliance

Under GDPR, we're primarily processing:

  • Professional work metadata (PR activity, commit counts)
  • Business identifiers (usernames, email domains)

We don't process personal data beyond what's necessary for the service. No behavioral profiling. No data selling. Data deletion is straightforward because there's minimal personal information to begin with.

Enterprise Security Questionnaires

When enterprise procurement sends their 500-question security assessment, our metadata-only architecture simplifies most answers:

  • "Do you store source code?" No.
  • "Do you have access to production systems?" No.
  • "Could you access customer data through your integration?" No.
  • "What sensitive data do you process?" Commit timestamps, PR titles, line counts.

This dramatically accelerates security review timelines.

Comparison with Full-Access Tools

Some engineering analytics tools require deep repository access—they index code, analyze ASTs, run their own static analysis.

Full-Access Advantages

  • Can analyze code complexity directly
  • Can identify specific patterns and anti-patterns
  • Can integrate with code intelligence features

Full-Access Risks

  • Source code exposure to third party
  • Potential for data breach affecting IP
  • Complex security review required
  • Ongoing access monitoring needed
  • Trust relationship with vendor is critical

Metadata-Only Advantages

  • No IP exposure
  • Minimal breach impact
  • Faster security approval
  • Lower ongoing risk
  • Trust requirement is minimal

For most engineering analytics use cases, the metadata-only approach provides the insights teams need without the risks they can't accept.

Read-Only, Minimal Permissions

Beyond metadata-only collection, our GitHub integration uses minimal OAuth scopes:

What we request:

  • repo:status - Read repository status
  • read:org - Read organization membership
  • read:user - Read user profile data

What we don't request:

  • Write access to repositories
  • Access to webhooks that could modify behavior
  • Access to actions or workflow files
  • Admin permissions of any kind

You can verify this in your GitHub organization's third-party access settings. Our integration appears with its exact permissions visible.

Implementation Details

For security teams evaluating Velocinator, here's how data flows:

Collection

  1. OAuth flow grants read-only access to GitHub/Jira APIs
  2. Our collectors poll APIs on a schedule (no webhooks that persist)
  3. Responses are filtered client-side before transmission
  4. Only metadata fields are extracted and sent

Transmission

  • All data transmitted over TLS 1.3+
  • Certificate pinning on mobile clients
  • API authentication via short-lived tokens

Storage

  • AES-256 encryption at rest
  • Data isolated by organization (no cross-tenant access)
  • Database access requires VPN + MFA
  • Retention configurable per organization

Access Control

  • RBAC within Velocinator matches your org structure
  • Managers see their teams' data
  • Individual contributors see their own data
  • No Velocinator employee has routine access to customer data

For Your Security Review

We provide:

  • SOC 2 Type II report (in progress)
  • Penetration test results (annual)
  • Security whitepaper with architectural details
  • Data Processing Agreement (GDPR compliant)
  • Subprocessor list

Most enterprise security reviews complete in 2-4 weeks. The metadata-only architecture removes the thorny questions about code access that typically stall reviews.

The Bottom Line

Engineering intelligence doesn't require source code access. By operating on metadata only, Velocinator delivers the insights teams need while respecting the security requirements enterprises demand.

Your code is your competitive advantage. It should stay that way.

More in Business & Security

Continue reading related articles from this category.

The Engineering Leader's Guide to Software Capitalization — Business & Security article on engineering productivity
Business & Security7 min read

The Engineering Leader's Guide to Software Capitalization

How to help finance track which engineering work can be capitalized—without making developers fill out timesheets.

February 12, 2026
FinOps for Engineering: Aligning R&D Spend with Business Impact — Business & Security article on engineering productivity
Business & Security6 min read

FinOps for Engineering: Aligning R&D Spend with Business Impact

Engineering is your biggest expense. Here's how to show where those dollars are actually going.

February 10, 2026
The Metadata-Only Approach: Why We Never Touch Your Source Code — Business & Security article on engineering productivity
Business & Security5 min read

The Metadata-Only Approach: Why We Never Touch Your Source Code

How Velocinator delivers engineering insights while keeping your intellectual property completely private.

February 8, 2026

Enjoyed this article?

Start measuring your own engineering velocity today.

Start Free Trial