Security

The security of your data is of our utmost concern. We follow strict guidelines and practices and partner with the best in the field to keep our systems, and your data, safe.

Infrastructure Security We host our infrastructure (servers and services) on the Google Cloud Platform (GCP). GCP is one of the leading Cloud providers trusted by the likes of Spotify, Evernote, Johnson & Johnson, Sony Network Communications, Schlumberger, BNP Paribas to name a few.

GCP regularly undergoes independent verification of security, privacy, and compliance controls, achieving certifications against global standards including: ISO 27001 ISO 27018 ISO 27019 SOC 1, 2 & 3.

The Gitalytics systems hosted on GCP and inherits all of the robustness of the GCP platform.

For more details on Google’s approach to security, see https://cloud.google.com/security/ and https://cloud.google.com/security/overview/whitepaper.

Procedural Security Accessing your Git repos Gitalytics analyses your connected Git Services to create the metrics and dashboards that you see in the product and to do this we need access to the repositories in these services. We do not create a copy/cache or otherwise of any of your source code for analysis purposes. Our FAQ details what access we need to your Git repos and why.

We rearchitected our application to use Auth0, one of the leading service providers for B2B application authorization. What this means for our customers is that Auth0 acts as a trusted authentication service and it manages all access to tokens for the Git Services we use. We use temporary (1-hour expiry) tokens from Auth0 instead of keeping, and having to secure, permanent tokens, reducing risk.

More detail can be found here at www.auth0.com

Secure data transfer We use industry standards 256-Bit SSL (https) encryption for all internet facing traffic to secure your data in transit. Credit card payment information We use Stripe (www.stripe.com) for all credit card processing of your payment information. Stripe is one of the industry’s leading billing payment providers and has PCI compliance. Using Stripe means we do not have to store any of your credit card info in any way and you can be sure that your information is safe. Password management An added benefit of our use of Auth0, we store no passwords in any form. This reduces the risk of a breach of our systems resulting in third parties having seemingly valid access (passwords) to our application.

Frequently Asked Questions What data is stored by Gitalytics? Primarily we store metadata around Pull Requests and Commits including comments, timings, and aggregated statistics. No source code is copied or stored by Gitalytics during processing. Who can access my data? By invite only, the system administrator determines who can have access to the Gitalytics application and what access level they have. In terms of access directly, we support two login mechanisms: using a username/password combination (latter managed by Auth0) or using the associated Git Service (GitHub/GitLab/BitBucket) single sign-on (SSO). The system administrator can disable access easily from within the application regardless of login method. What access do I need to grant Gitalytics on my Git repos, and why? Gitalytics needs read access on the repos directly in order to process data. We do not need write access to your repos. We do need write access to register webhooks only. This allows Gitalytics to stay notified of changes to your selected repositories so that the platform can keep metrics up to date. How do I delete my data from Gitalytics? Delete the repository from Gitalytics and all generated metrics and data is removed.

Contact us If you have any comments or concerns related to security, please contact us at security@gitalytics.com - we will make every effort to address your concern.