Effective date: February 28, 2026 · Greyfield Labs LLC DBA Misconfig Index · hello@misconfig.dev
What we collect
When you use Misconfig Index — whether through the web UI Quick Scan, the CLI, or the API — we collect the minimum data needed to provide the service:
- Repo identifier — the GitHub owner/repo string (e.g.
hashicorp/terraform). This tells us which repo a scan belongs to. - Misconfig score and grade — the numeric score (0–100) and letter grade (A–F) computed from your scan.
- Finding rule IDs and counts — e.g.
TF_OPEN_SG. We record which rules fired and how many times, but never the actual values or file contents that triggered them. - File counts — total number of IaC files scanned (no file names or paths are stored).
- Branch and commit SHA — optional, used to correlate scans with your git history when provided via
misconfig ingest. - Organisation name and slug — provided by you when you create an account.
- API keys — stored as one-way hashes. We cannot recover your raw API key after it is issued.
- Standard server logs — IP addresses, request timestamps, and HTTP status codes retained for up to 30 days for security and abuse prevention.
What we never collect
- Source code — for Quick Scan, we download your repo ZIP, scan it in memory, and discard it immediately. No source code, file contents, or snippets are written to disk or stored in our database.
- Passwords or email addresses — accounts are API-key only; we do not require email registration.
- Personal information — we do not collect names, emails, or any PII beyond what you voluntarily provide in your org name.
- Cookies or tracking pixels — the dashboard is a plain static page with no analytics, tracking scripts, or third-party cookies.
How we use your data
- To compute and display your Misconfig Score and trend history.
- To populate the public Industry Benchmark (aggregated and anonymous — we show percentages across all repos, never individual repo data).
- To generate your live score badge at
api.misconfig.dev/badge/{org}/{repo}. - To enforce rate limits and detect abuse.
Data retention
- Scan records — retained indefinitely for registered orgs so you can see long-term score trends.
- Quick Scan results — not stored at all. The scan happens in memory and the result is returned directly to your browser.
- Benchmark data — the public benchmark aggregates only scans from the last 90 days.
- Server logs — rotated after 30 days.
- Account deletion — email hello@misconfig.dev and we will delete all data associated with your org within 7 business days.
Data sharing
We do not sell, rent, or share your data with any third party, full stop. The only external service involved in running Misconfig Index is the AWS EC2 instance that hosts the API and database. AWS is subject to its own privacy policy.
Security
All traffic is encrypted in transit via TLS (HTTPS). API keys are stored as one-way hashes and cannot be recovered by us. The database is not exposed to the public internet.
Open source
Misconfig Index is open source under the MIT licence. You can review exactly what data is collected and how it is processed in the public GitHub repository, or self-host the entire stack.
Lawful basis (EU / UK users)
For users in the European Union or United Kingdom, Greyfield Labs LLC processes personal data on the basis of legitimate interests (Article 6(1)(f) GDPR) — specifically, to provide the scanning service you requested, maintain platform security, and prevent abuse. You may contact us at hello@misconfig.dev to exercise your rights under GDPR, including the right to access, rectification, erasure, restriction, portability, or to object to processing.
Changes
If we materially change this policy, we will update the effective date above and post a notice on the blog. Continued use of the service after a policy change constitutes acceptance of the updated terms.
Contact
Questions? Email hello@misconfig.dev.