Security

Security

Last updated May 2026

Drumroll holds two kinds of sensitive material: workspace authentication and OAuth access tokens for the systems you connect. Here’s how we protect them, in plain language.

Encryption

  • OAuth access and refresh tokens are encrypted before they reach the database, with a key held in our secrets store - separate from source and from the database.
  • Each environment has its own encryption key. Development and production are isolated.
  • All connections to our database and providers use TLS. Data at rest is encrypted by our infrastructure providers.

Authentication

  • Authentication is handled by a dedicated identity provider. We never see your password.
  • Session cookies are HTTP-only and same-site. CSRF protection is built into our connection flows.
  • Workspace membership is enforced on every request. You can only read or modify workspaces you belong to.

Integration permissions

Drumroll requests the minimum read-only scopes needed to import your release notes from the source systems you connect (GitHub, JIRA, Bitbucket). We never request write access. You can disconnect any integration at any time from your workspace settings; tokens are deleted immediately.

Asset uploads

  • Uploaded files (logos, favicons, cover images, inline images, file attachments) are isolated per workspace. One workspace cannot read or guess another workspace’s assets.
  • Uploads pass through a MIME-type allowlist and a per-file size cap. Only members of a workspace can upload to it.
  • Once uploaded, the asset URLs are publicly readable - they’re embedded on your public pages by design.

Branding extraction

When you paste a URL to auto-fill your branding, our server makes one outbound HTTPS request to that URL and parses the response. The fetcher refuses to connect to private or internal networks, has a hard timeout and response-size cap, and only parses HTML.

What we don’t collect

  • No analytics on visitors to your public changelog or guides pages.
  • No third-party trackers, pixels, or cross-site identifiers.
  • No copy of your source-system data beyond what you sync.

Public-page hardening

Our embeddable widget and iframe routes are designed to be embedded across origins - no customer data is exposed there that isn’t already on your public changelog or guides pages.

Reliability

Syncs are resilient: one malformed upstream item doesn’t fail the rest of the run, and rate-limited providers are retried with backoff. Failed items surface in your sync history so you can see and re-run them.

Disclosure

If you find a vulnerability, please email security@usedrumroll.com with reproduction steps. We’ll acknowledge within 72 hours, fix critical issues within 14 days, and credit you in the changelog if you’d like.

Please do not test on workspaces you don’t own. Use your own Drumroll workspace for any safe testing.

Security - Drumroll