Thanks for reporting this! Sometimes apps support only "all or nothing" permissions (called "oauth2 scopes"), i.e. to request feature A from the app, we have to request features B and C too, because some scope enables A, B and C simultaneously.

But this particular GitHub case seems to be different. So it's fixed.

No much magic here, we use pretty standard protocols and approaches for security.

The data stored is public-key-encrypted (buzzwords: ECIES, Secp256k1, AES256+CTR), and the decryption private keys (per app/user) are available only to the very last and isolated layers (e.g. in particular, right before the search snippet is sent to your browser, or right before the text is tokenized and converted into an inverted index which erases the information about the actual words location in the text). The engineers can’t see the users' data.

App access- and refresh tokens (which we obviously need to send API requests to the apps you connect) are stored the similar way. They’re only decrypted in a separate layer right before requests are sent to remote cloud apps' APIs.

We will publish a comprehensive overview of our approach to security, which I'll link to this thread for posterity. Frankly, we just ran out of time to publish this in time for the launch.

To compliment our architecture, I should mention we also also have strict company policy around general IT security and any type of customer data access. Security is an evergreen problem here.