The leadership team has backgrounds in network security and cryptography, and security is a first principle of design. For any questions, please email security@sandgarden.com.
What is Doc Holiday?
Doc Holiday automatically generates and updates release notes and documentation. Doc Holiday indexes code, commits, PRs, product specs, and tickets, then writes crystal-clear documentation and release notes.
Certifications and Third-Party Assessments
Sandgarden is SOC 2 Type II certified and conducts pen testing at least annually. Prospective and current customers may request a copy of the report, associated management summaries, and a select list of policies and procedures, via email at support@sandgarden.com.
Infrastructure Security
Sandgarden’s Doc Holiday product relies on the following subprocessors:
- AWS - primary source of hosting; US-based only.
- Vercel - Admin UI hosting
- Cloudflare - CDN
- Clerk - authentication
- LLMs - reasoning & assessment
- OpenAI
- Anthropic
- Google Cloud Vertex API
- Hashicorp’s Terraform - deployment management
- Sentry - error and performance monitoring
- Clickhouse - database management system
The product deploys as a fully hosted SaaS product. We do not yet have a hybrid nor self-hosted deployment option.
Application Security
Doc Holiday automatically generates and updates release notes and documentation (both new and diff) as code is released. Its inputs are the code base, bug tracking system, engineering ticketing system, product specs, PRs, existing docs, brand voice, and more. It reads and summarizes (but does not store) code, commits, and tickets, then authors documentation and release notes on your behalf.
The product creates connectivity to code repositories (either via an application or service account) to implement some functionality; permissioning has been specifically scoped down to the narrowest possible to allow the product to function.
When customers connect ancillary applications (e.g. product specs) to augment and enhance documentation output, connections to those systems are defined within the Doc Holiday Admin UI. Secrets, tokens, and passwords are backed by KMS and encrypted at rest.
The product creates connectivity to code repositories (either via an application or service account) to implement some functionality; permissioning has been specifically scoped down to the narrowest possible to allow the product to function.
When customers connect ancillary applications (e.g. product specs) to augment and enhance documentation output, connections to those systems are defined within the Doc Holiday Admin UI. Secrets, tokens, and passwords are backed by KMS and encrypted at rest.
GitHub Application Permissions Outline
GitHub access is created using an application. Private access tokens are unfortunately not able to perform all the operations needed by Doc Holiday within GitHub specifically. Access granted to Doc Holiday must be explicitly provided on a per repo basis.
- Actions:
read
To determine commit history between workflow runs. - Commit Statuses:
read/write
To commit statuses as part of its PR creation process. - Contents:
read/write
To update release notes, comment reactions for user feedback, and create and maintain context in destination (doc) repositories. - Custom Properties:
read
To update custom properties. - Discussions:
read/write
To update and maintain discussions. - Issues:
read/write
To be aware of and comment on issues. - Packages:
read
To see what assets exist for releases. - Pull Requests:
read/write
To create and interact with PRs in the doc repository and review extra information from source repositories. - Read Members:
read
To read an organization’s team members for billing purposes. - Repository Security Advisories:
read
To enrich the output documentation. - Webhooks:
read/write
To set up custom subscriptions to receive events. Please note: this permission may be removed in the future. - Workflows:
read
To identify workflows that trigger documentation.
GitLab Application Permissions Outline
GitLab access is created using a personal access token. Doc Holiday access must be explicitly granted to projects or groups via direct membership from either a user or service account’s personal access token.
- Scopes:
api
The interactions Doc Holiday requires (e.g. comments, merge requests, etc.) are only possible via the ‘api’ permission scope. No other permissions are required.
AI Requests
To provide its features, Doc Holiday makes AI requests to various LLM vendors. An AI request will include indexed information about your product, code base, brand voice, amongst other things. Sandgarden has a zero data retention agreement with all LLM providers.
Codebase Indexing
Doc Holiday indexes codebases as part of providing its services, but does not store the raw source code. The only points saved are metadata and derived artifacts, such as summaries or vector embeddings.
Account Deletion
You can delete your account at any time. Please email support@sandgarden.com and we will delete all data associated with your account, including any indexed codebases. Complete removal may take up to 30 days due to various cloud storage backup definitions.
Vulnerability Disclosures
If you believe you have found a vulnerability in Sandgarden, please email security@sandgarden.com. We will acknowledge and address the report promptly.
