1. About the Good Samaritan Developer Alerting Service
In the course of our business, based on a responsible approach and for ethical reasons, we collect the business email addresses of developers who have inadvertently published identifiers or secrets on the GitHub public code repository at https://github.com/ and alert them by email.
The email sent to professional developers includes a link to the service offered by GitGuardian and all the information necessary to allow developers to independently remediate the incident if they do not wish to use the GitGuardian services.
In doing this, GitGuardian acts only as a Good Samaritan, in a pro bono manner, for the sole purpose of protecting developers from serious and imminent danger.
GitGuardian’s purpose in providing this service is compelling. We cannot witness such security breaches, some of which are estimated to be worth tens of thousands of dollars in potential damage, without making our best efforts to assist those who may be harmed.
This information notice aims at providing you with information about the processing of data carried out by us in the context of our Good Samaritan developer alerting service, so that you can understand why and how your data are processed, where applicable.
2. Personal data we process
The only personal data collected and processed by GitGuardian as part of the Good Samaritan developer alerting service is:
- the developers’ business email address listed on their public GitHub profile.
3. Legitimate purposes pursued by GitGuardian
The data processing carried out in the context of the developer alerting service has the legitimate purpose of:
- alerting, free of charge, via their business email address, developers who have inadvertently published identifiers on the GitHub public code repository platform;
- assisting them.
4. Legal basis of our processing
Pursuant to Article 6(1)(f) of the General Data Protection Regulation, the processing is based on the legitimate interests pursued by GitGuardian.
As a cybersecurity firm, we are aware of our responsibility and role in protecting personal data. We therefore offer our developer alerting service out of a purely ethical concern.
Although we have no general duty to monitor public code repositories and are not commissioned by clients to do so, we have voluntarily set up this developer alerting service to combat leaked identifiers and other secrets hidden in source code, thereby fighting against cyber attacks.
This service, which is free of charge for developers, is intended solely to:
- protect professional developers against leaked identifiers and other secrets hidden in source code;
- assist them while leaving them free to remedy the leak on their own or to choose to use the services of GitGuardian;
- establish our reputation as a ‘White Hat’, a term used in cybersecurity to designate those with a deeply ethical approach.
In our “The State of Secrets Sprawl 2022” report published on our website, we note an alarming growth in the number of corporate secrets found in source code exposed to the public via GitHub.
In 2021, we detected more than 6 million secrets over the year. This high percentage reflects poor control processes, bad practices, old habits that need to be eradicated and sometimes a lack of awareness among developers of Security by Design. These inattentions can then be used as a basis for cyber-attacks or information leaks.
Thanks to these emails, we have built a very strong community of developers who are grateful for the service we provide and have gained a reputation, including internationally (our customers include large American corporations). In France, GitGuardian was rewarded at the International Cyber Security Forum 2021 (FIC) by Mr. Cédric O (winner of the FIC Start-up of the Year Award).
5. Data recipients
Access to your data is limited to the developers of the GitGuardian’s Good Samaritan alerting service.
We ensure that only authorized persons have access to your data.
6. Data transfers
We may transfer personal data outside the European Union as part of the IT tools we use for our business.
These transfers can only be made after we have taken steps to secure them, for example by ensuring that we have concluded the standard clauses adopted by the European Commission to provide a framework for flows.
7. How long we will keep developers’ business email addresses
We have a data purge policy in place to ensure that developers’ email addresses are kept for no longer than is necessary for the purposes for which we collect them.
Under this purge policy, a developer’s email address is kept for five (5) years and then automatically deleted.
We allow alerted developers the option of using our free service for five (5) years.
Developers will not be contacted by GitGuardian while their email address is kept.
8. Data security
The security of your personal data is very important to us.
We have implemented appropriate technical and organizational measures to ensure the security and confidentiality of the data processed in the context of the developer alerting service, with a view to protecting such data from malicious intrusion, loss, alteration or disclosure to unauthorized third parties.
We are committed to a SOC 2 approach to the security of our information system.
We also have an internal information security policy, which is reviewed annually.
When we use a service provider, we will only disclose personal data to them after we have obtained an undertaking and guarantees from them that they will meet the security and confidentiality requirements laid down by data protection regulations.
In compliance with our statutory and regulatory obligations, we enter into contracts with our processors, which precisely define the terms and conditions under which they process personal data, in accordance with personal data protection laws.
We use several processors for processing data in the context of the developer alerting service.
For data hosting, we use:
- AWS (data processing agreement).
For sending emails, we use:
- MailGun (data processing agreement).
10. Rights of data subjects
We are very committed to respecting your rights in the context of the data processing that we carry out, in order to ensure fair and transparent processing.
In accordance with the applicable regulations, you have the right to access, rectify and delete your personal data. You may also object at any time to the processing of your personal data or request the restriction of such processing.
You further have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning you or similarly significantly affects you.
You may also give instructions concerning the fate of your data after your death.
Where necessary, you should know that you have the right to file a complaint with the CNIL or a right to a judicial remedy.
The rights you have and how to exercise them are described in more detail below.
10.1 Right of access to data
In the interests of transparency, GitGuardian undertakes to provide you on request with a copy of the personal data that it processes concerning you, including in electronic format.
Exercising the right of access to your data allows you to verify their accuracy and, where necessary, to have them rectified or erased.
You may have access to the following information:
- the purposes of the processing;
- the categories of personal data processed;
- the recipients or categories of recipient to whom your personal data have been or will be disclosed, in particular recipients in third countries or international organizations;
- where possible, the envisaged period for which the personal data will be stored, or, if not possible, the criteria used to determine that period;
- the existence of the right to request from us rectification or erasure of your personal data, and the existence of the right to request from us restriction of processing of your personal data or to object to such processing;
- details on the right to file a complaint with a supervisory authority;
- where the personal data are not collected from you, any available information as to their source;
- the existence of automated decision-making, including profiling and, at least in those cases, meaningful information about the logic involved, as well as the significance and the consequences of such processing for you;
- information on how any data transfers to countries outside the European Union are framed.
For any further paper copies requested by you, we may charge a reasonable fee based on administrative costs.
10.2 Right to rectification of data
If the data about you held by GitGuardian are inaccurate, incomplete or out of date, you may request that they be rectified at any time.
10.3 Right to erasure of data
You may request the erasure of your personal data in the cases provided for by laws and regulations.
However, we would like to draw your attention to the fact that this right cannot be exercised in respect of data that must be retained to enable us to comply with legal obligations, or to enable us to establish, exercise or defend our legal claims.
10.4 Right to restriction of processing
You may request the restriction of processing of your personal data in the cases provided for by laws and regulations.
10.5 Right to object to processing
You have the right to object, on grounds relating to your particular situation, at any time to processing of your personal data where the legal basis is the legitimate interest pursued by the controller.
If you exercise such a right to object, we will ensure that we no longer process your personal data in connection with the processing concerned unless we can demonstrate compelling legitimate grounds for continuing such processing. These grounds must override your interests, rights and freedoms, or the processing must be justified for the establishment, exercise or defense of legal claims.
10.6 Right to file a complaint
You have the right to file a complaint with the Commission Nationale de l’Informatique et des Libertés (CNIL) (3 place de Fontenoy 75007 Paris) in French territory, without prejudice to any other administrative or judicial remedy.
10.7 Right to given post-mortem instructions
You have the possibility of defining specific instructions on how your personal data should be stored, deleted and shared after your death. These special instructions will only apply to the processing carried out by us and will be limited to that scope.
You also have the right to define general instructions concerning all your personal data. They may be registered with a third party digitally certified by the Commission Nationale de l’Informatique et des Libertés (CNIL).
You may revoke your instructions at any time.
10.8 How to exercise your rights
You can send us your requests to exercise your rights either:
- by email to the address: firstname.lastname@example.org; or
- by mail to the following address: GitGuardian 54 rue de Seine 75006 Paris
A reply will be sent to you within one month of receipt of your request. That period may be extended by two further months where necessary. In such a case, you will be informed of any such extension, together with the reasons for the delay.
11. Change to this information notice
We invite you to consult this policy regularly on our website. It may be updated from time to time.