Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.ewake.ai/llms.txt

Use this file to discover all available pages before exploring further.

This page lists every permission ewake requests, what it accesses with each one, and what it explicitly does not access. It is intended to be the single source of truth for security and compliance reviews.

Principles

Read-only by default

Every integration uses read-only credentials. Ewake never modifies, writes, or deletes data in your connected systems unless a feature explicitly requires a write scope and you opt in.

Customer-isolated

Each customer’s knowledge map is stored in an isolated environment. No data is shared between customers. Models do not train on customer data.

No raw telemetry retention

Logs, metrics, and traces are queried live from your sources at the moment of investigation. Ewake retains derived metadata (services, dependencies, incident summaries), not raw data.

Encrypted in transit and at rest

All API traffic uses TLS 1.2+. Stored knowledge-map data is encrypted with AES-256 at rest.

Per-integration access matrix

Datadog

Ewake uses an Application key scoped to read-only operations. The full list:
ScopeWhat it enables ewake to readWhy it’s needed
apm_readAPM trace dataInvestigating distributed-trace context for slow requests
apm_api_catalog_readAPI catalog metadataUnderstanding service contracts in your environment
apm_pipelines_readAPM pipeline configurationMapping observability data flows
apm_service_ingest_readService ingestion metricsDetecting traffic anomalies per service
dashboards_readExisting dashboardsSurfacing relevant Datadog views during investigation
debugger_readLive Debugger capturesAdding runtime state context to investigations
error_tracking_readError tracking dataCorrelating errors with deploys and alerts
events_readDatadog events streamDetecting deployment and infrastructure events
llm_observability_readLLM observability dataInvestigating issues in LLM-backed services
logs_read_archivesArchived logsQuerying historical log context for past incidents
logs_read_dataLog contentReading log lines as evidence in investigations
logs_read_index_dataLog index metadataBuilding efficient log queries
metrics_readMetric seriesReading time-series metrics for any service
monitors_readMonitor definitionsUnderstanding what triggered an alert
timeseries_queryCustom time-series queriesBuilding correlation queries across metrics
ewake does NOT request: any write, manage, admin, or *_create scopes. It cannot modify monitors, dashboards, logs, or any Datadog configuration.

GitHub

Ewake uses a GitHub App with the following installation permissions:
ScopeAccess levelWhat it enables
Repository contentsReadReading source code and diffs for investigation
Repository metadataReadListing repos, branches, default branches
Pull requestsReadCorrelating PRs with deployments and incidents
Commits & pushesReadMapping who deployed what and when
DeploymentsReadTracking deployment events
ewake does NOT request: write access to code, branches, PRs, or repository settings. It cannot push commits, create branches, comment on PRs, or merge anything. The user-level OAuth authorization grants ewake read access on your behalf to repositories you can already see. The App installation is what grants organisation-level access.

Slack

Ewake’s Slack app requests these OAuth scopes:
ScopeWhat it enables
channels:historyRead messages in channels ewake is added to
channels:readList channels in the workspace
chat:writePost messages and replies
im:writeSend direct messages to users
users:readRead workspace member list (for routing and mentions)
ewake does NOT request: access to private channels it has not been added to, file uploads it cannot read, admin-level workspace settings, or message deletion.

Incident.io

Ewake requests an API key with these permission groups:
Permission groupScopesRequired?
View data (public incidents + org settings)18 scopes✅ Required
View catalog types and entries3 scopes✅ Required
Read schedules1 scopeOptional, enables on-call reasoning
ewake does NOT request: any incident creation, editing, or resolution permissions. It cannot declare incidents, change severity, or post on your behalf in Incident.io.

What ewake does NOT access

To make this explicit, ewake never:
  • Modifies, writes, or deletes data in any connected system
  • Reads private Slack channels it has not been invited to
  • Pushes commits, opens PRs, or modifies code
  • Silences, acknowledges, or closes alerts
  • Trains foundation models on your data
  • Shares your knowledge map with other customers

Data handling

TopicDetail
Raw telemetryQueried live from your sources at investigation time. Not retained by ewake.
knowledge mapPersisted per-customer. Stores derived metadata (service map, incident summaries, correlations). Encrypted at rest.
PII / secretsLogs are filtered through redaction patterns before being included in ewake outputs.
Data residencyContact support@ewake.ai for current region availability.
Sub-processorsFull list available on request, contact support@ewake.ai.

Compliance

SOC 2, ewake is in active SOC 2 Type II preparation through Sprinto. Contact support@ewake.ai for the current report status and timeline.

Customer responsibilities

To get the strongest security posture from your ewake deployment:
  • Scope API keys minimally, use the exact scopes listed above, no more
  • Rotate credentials regularly, at least every 90 days
  • Use Google SSO for ewake login rather than shared credentials
  • Audit Slack channel membership, ewake only sees what’s in channels it’s invited to
  • Review the GitHub App scope, install on the minimum repository set you need