search

digma-ai / digma

πŸ§‘β€πŸ’»πŸ”­ Digma helps you fix performance issues in your code by automatically profiling the code execution. Using APMs to identify code bottlenecks, query problems and scalability issues takes time and effort - Digma automates all of that. Digma is free for developers - get it here: https://digma.ai/get-digma/
https://www.digma.ai/
369 stars 11 forks source link

Data privacy / security #74

Open Nezisi opened 9 months ago

Nezisi commented 9 months ago

I've tried to read up every ressource I found on the Digma websites...

But I cannot seem to find enough details to come to a conclusion about how Digma utilizes data, nor who / what is involved in the Digma analysis.

As OpenTelemetry has access to all kinds of sensitive data, I feel this needs a detailed clarification.

If I've overlooked something, please give me a hint.

Thanks for all your hard work!

doppleware commented 9 months ago

Hi @Nezisi at this moment Digma isn't a SaaS service so does not take any OTEL data at all. All of the observability data stays local on your machine as Digma runs on your local containers. We do have SOC2 and other compliances but since that is the case it is less a consideration. Let me know if I can help with more info!

Thanks! Roni

Nezisi commented 9 months ago

Just to be clear - sorry for being pedantic - so Digma doesn't call home by any means, nor does it utilize the data (be it anonymized or not) it has access to in any means except for the statical analysis?

It is sad that this has to be asked nowadays :(

Would be great if you maybe could add that information under the FAQ?

I guess I'm not the only one who thinks that Digma is a very great idea, but on the other hand, dreads the possible security concerns and red tape involved in using it… (which is another sad thing nowadays)

Thanks for the fast reply!

doppleware commented 9 months ago

Hi @Nezisi - it is actually very important to clarify, thanks for digging more into this.

Digma doesn't send any of your observability data back. Your application data is completely yours and dynamic analysis is done locally on your Docker. We really don't want the responsibility of handling that data :) Especially in well-regulated orgs.

We do save UI analytics for usability feedback purposes (for example, if you click a button or open a panel and how often), this is so we can improve Digma from a developer experience and UI perspective. We also send back any internal IDE exceptions Digma is encountering so we can know how to solve them. These too, include only Digma's internal stacks.

We are considering adding a toggle to block that as well - let me know if this would be necessary for your case.

Hope that helps clarify that - I will keep this issue open until we update the FAQ.

Thanks! Roni