The security of your data is of our utmost concern. We follow strict guidelines and practices and partner with the best in the field to keep our systems, and your data, safe.
We host our infrastructure (servers and services) on the Google Cloud Platform (GCP). GCP is one of the leading Cloud providers trusted by the likes of Spotify, Evernote, Johnson & Johnson, Sony Network Communications, Schlumberger, BNP Paribas to name a few.
GCP regularly undergoes independent verification of security, privacy, and compliance controls, achieving certifications against global standards including: ISO 27001 ISO 27018 ISO 27019 SOC 1, 2 & 3.
Our application use Auth0, one of the leading service providers for B2B application authorization. More detail can be found here at www.auth0.com
What this means for our customers is that Auth0 acts as a trusted authentication service and it manages all access to tokens for the Git Services we use.
We use temporary (1-hour expiry) tokens from Auth0 instead of keeping, and having to secure, permanent tokens, which reduces risk.
These tokens are used to call various Git services APIs and preform a "git clone --bare" on repo. Because of this setup, we do not download any source code.
A web hook to our system will be created so that we can pull down updates as they occur.
An added benefit of our use of Auth0, we store no passwords in any form. This reduces the risk of a breach of our systems resulting in third parties having seemingly valid access (passwords) to our application.
All data is transferred is done via industry standards 256-Bit SSL (https) encryption.
We use Stripe (www.stripe.com) for all credit card processing of your payment information. Stripe is one of the industry’s leading billing payment providers and has PCI compliance. Using Stripe means we do not have to store any of your credit card info in any way and you can be sure that your information is safe.
Primarily we store metadata around Pull Requests and Commits including comments, timings, and aggregated statistics. No source code is copied or stored by Gitalytics during processing.
By invite only, the system administrator determines who can have access to the Gitalytics application and what access level they have. In terms of access directly, we support two login mechanisms: using a username/password combination (latter managed by Auth0) or using the associated Git Service (GitHub/GitLab/BitBucket) single sign-on (SSO). The system administrator can disable access easily from within the application regardless of login method.
Gitalytics needs read access on the repos directly in order to process data. We do not need write access to your repos. We do need write access to register webhooks only. This allows Gitalytics to stay notified of changes to your selected repositories so that the platform can keep metrics up to date.
Delete the repository from Gitalytics and all generated metrics and data is removed.
If you have any comments or concerns related to security, please contact us at firstname.lastname@example.org - we will make every effort to address your concern.