Security

The security of your data is of our utmost concern. We follow strict guidelines and practices and partner with the best in the field to keep our systems, and your data, safe.

Infrastructure Security

We host our infrastructure (servers and services) on the Google Cloud Platform (GCP). GCP is one of the leading Cloud providers trusted by the likes of Spotify, Evernote, Johnson & Johnson, Sony Network Communications, Schlumberger, BNP Paribas to name a few.

GCP regularly undergoes independent verification of security, privacy, and compliance controls, achieving certifications against global standards including: ISO 27001 ISO 27018 ISO 27019 SOC 1, 2 & 3.

User Authentication:

Our application use Auth0, one of the leading service providers for B2B application authorization. More detail can be found here at www.auth0.com

Git Services Access

What this means for our customers is that Auth0 acts as a trusted authentication service and it manages all access to tokens for the Git Services we use.

We use temporary (1-hour expiry) tokens from Auth0 instead of keeping, and having to secure, permanent tokens, which reduces risk.

These tokens are used to call various Git services APIs and preform a "git clone --bare" on repo. Because of this setup, we do not download any source code.

A web hook to our system will be created so that we can pull down updates as they occur.

Password management

An added benefit of our use of Auth0, we store no passwords in any form. This reduces the risk of a breach of our systems resulting in third parties having seemingly valid access (passwords) to our application.

Secure data transfer

All data is transferred is done via industry standards 256-Bit SSL (https) encryption.

Credit card payment information

We use Stripe (www.stripe.com) for all credit card processing of your payment information. Stripe is one of the industry’s leading billing payment providers and has PCI compliance. Using Stripe means we do not have to store any of your credit card info in any way and you can be sure that your information is safe.

Frequently Asked Questions

What data is stored by Gitalytics?

Primarily we store metadata around Pull Requests and Commits including comments, timings, and aggregated statistics. No source code is copied or stored by Gitalytics during processing.

Who can access my data?

By invite only, the system administrator determines who can have access to the Gitalytics application and what access level they have. In terms of access directly, we support two login mechanisms: using a username/password combination (latter managed by Auth0) or using the associated Git Service (GitHub/GitLab/BitBucket) single sign-on (SSO). The system administrator can disable access easily from within the application regardless of login method.

What access do I need to grant Gitalytics on my Git repos, and why?

Gitalytics needs read access on the repos directly in order to process data. We do not need write access to your repos. We do need write access to register webhooks only. This allows Gitalytics to stay notified of changes to your selected repositories so that the platform can keep metrics up to date.

How do I delete my data from Gitalytics?

Delete the repository from Gitalytics and all generated metrics and data is removed.

Contact us

If you have any comments or concerns related to security, please contact us at contact@gitalytics.com - we will make every effort to address your concern.