VectorGraph

VectorGraph trust

Privacy

VectorGraph stores the records needed to run a permissioned workspace. NorthGraph code intelligence is local by default, and source code is not uploaded by that workflow.

Updated May 2026

What VectorGraph stores

  • Account identifiers, workspace memberships, roles, invitations, and authentication references from Clerk.
  • Workspace records such as issues, projects, sprints, docs, canvases, customer requests, comments, labels, attachments, and audit events.
  • GitHub installation metadata, repositories selected for a workspace, linked branches, commits, pull requests, checks, and webhook delivery IDs when GitHub is installed.
  • CLI, MCP, agent, webhook, export, and security activity needed for authorization, auditability, troubleshooting, and abuse prevention.

What VectorGraph does not do by default

  • VectorGraph does not sell workspace data.
  • VectorGraph does not use private workspace content to train public foundation models.
  • NorthGraph does not upload source code by default. It indexes repository facts locally and exposes them through the local CLI or local MCP process.

Subprocessors and infrastructure

VectorGraph uses managed providers for authentication, application hosting, product data, GitHub App installation access when enabled, storage, email, telemetry, queues, backups, and operational security. For a current DPA or subprocessor list, contact privacy@vectorgraph.app.

Telemetry boundaries

  • Telemetry is intended to measure reliability, adoption, errors, latency, permission denials, and operational health.
  • Private workspace content, source-code snippets, prompt text, terminal output, secrets, and local paths should not be sent to analytics by default.
  • Operational logs should avoid sensitive content values and should preserve request IDs for support and security review.

Retention export and deletion

  • Workspace administrators can export supported workspace records according to the product plan and permission model.
  • Deletes and archival actions are audited where the product treats them as sensitive actions.
  • Retention and deletion requests can be sent to the privacy contact and are handled according to workspace ownership, legal obligations, and abuse-prevention needs.