Waffle strongly believes that customers should be able to control their data and trust that information is protected when stored with us.

 Waffle.io is a product of CA Technologies, and where appropriate we follow CA's practices for privacy and security. Please contact our team at support@waffle.io with specific questions, or also our corporate privacy team at privacyhelpline@ca.com


We abide by CA's privacy policy, found at https://waffle.io/privacy (also found at https://www.ca.com/us/legal/privacy.html).

GDPR compliance

Waffle holds itself to strict data security and privacy standards, including compliance with the General Data Protection Regulation (GDPR). You can read our GDPR commitment here: https://www.ca.com/us/legal/gdpr-commitments.html

We abide by CA's Data Transfer Policy, including the Data Processing Agreement (DPA) for GDPR: https://www.ca.com/us/legal/privacy/data-transfers.html

GitHub Permissions

Waffle relies on OAuth with GitHub to access your data. We request either public_repo  or repo  scopes when you login, dependent on whether you desire to use Waffle with your private repositories or only public repositories. While we only need access to your issues and pull requests, these scopes also grant us access to your source code.

We do not process or store your source code in any Waffle system. Your access tokens are encrypted at rest in our database, and we only make network requests securely over TLS.

Why aren't we a new GitHub App, that has finer grained controls? GitHub Apps have limitations we can't accept right now, including missing API endpoints (namely, GraphQL support) and they also require an admin to configure instead of any collaborator. We'll continue to consider transitioning fully to a GitHub App in the future.

What we store

Waffle enhances your GitHub data with additional features. Issues and pull requests can be estimated with points, turned into epics and connected together as dependencies. Waffle keeps a copy of your issue data in our database to provide these enhancements. We do not store any of your source code.


Who can see your data in Waffle? Waffle respects GitHub's permission model for all of your issues and pull requests. If your repository is public, then anyone can see your Waffle board. If private, likewise only people who can access your data in GitHub can see it in Waffle. If you've combined public and private repos on a single board, users will only see what they have access to.

What third party tools have access to what data, and why

Waffle relies on several third-party services to host Waffle and provide functionality. These include:
Compose: Our data layer is hosted by Compose. Sensitive information is encrypted at rest, and is accessed securely over TLS.
Google Kubernetes Engine: Waffle is hosted in the cloud by GKE, also served over TLS.
Intercom: Waffle provides in-app support and feature announcements with Intercom.
Mixpanel: Waffle tracks customer activity in Mixpanel to help us understand what features are being used to help our customers find the most value out of Waffle.
Google Analytics and Google Optimize: We A/B test messaging on our marketing pages, and rely on Analytics and Optimize to improve Waffle's value proposition for potential customers looking at Waffle as a solution.
Pusher: Pusher provides you with real-time updates! We stream any data you see in the UI through Pusher when changes are made by another user on your Waffle board or in GitHub. Private data is secured in a private channel, only visible to those who have access to the data in GitHub.

These third party services are only used with our SaaS version. If you're an on-premises customer using Waffle Takeout, the only third party dependency is Replicated who provides our licensing and configuration for on-prem. 

If you would like your data removed from Waffle's database and every third-party system we use, contact us at support@waffle.io and we'll process your request.

Did this answer your question?