Read-only repo access
Zoruko reads your repository through GitHub OAuth with the scopes you grant. It never pushes to your branches — every change arrives as a pull request from its own branch, and nothing merges without your review.
Zoruko's whole security model fits in one sentence: we read your repo, we open pull requests, and we touch nothing else.
Zoruko reads your repository through GitHub OAuth with the scopes you grant. It never pushes to your branches — every change arrives as a pull request from its own branch, and nothing merges without your review.
Zoruko never asks for your Meta or TikTok credentials, ad account permissions, or access tokens. Our work happens entirely in your codebase. The S2S sending path runs in your infrastructure with your own tokens — we never hold them.
Fixes are small, single-purpose pull requests with tests and a written rationale. Your team reviews, approves, and merges. High-risk changes (like billing migrations) ship behind feature flags with a parallel-run reconciliation period.
The GitHub OAuth token is encrypted at rest with AES-256-GCM. Connections can be revoked at any time from your GitHub settings, which immediately cuts all access.
The monitoring module reports event metadata (type, status, timestamps) to your panel — not customer PII. User-level fields are hashed before they leave your infrastructure, following the same standards ad platforms require.
Everything Zoruko does is visible in your repo history: every change is a commit, every decision is a PR description. There is no hidden automation surface.
Questions about our security model, or need a review for procurement? Talk to us — we'll walk your team through every access path.