GitGuardian successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that GitGuardian’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.
GitGuardian helps developers, ops, security and compliance professionals to define and enforce policies consistently and globally across all their entire stack, be it their version control systems, their logs or their cloud systems and applications. Security is part of our DNA along with transparency. We're transparent with our security program so our users can be informed and feel safe using our products and services.
This security overview provides a high-level overview of the security practices put in place at GitGuardian.
Have questions or feedback? Feel free to reach out to us at [firstname.lastname@example.org]
Dedicated Security Team
We have a DevSecOps team dedicated to improving the security of our organization. Our employees are trained on security incident response.
All of our services run in the cloud. We don’t host or run our own servers, switches, routers, load balancers or DNS servers.
GitGuardian provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture. GitGuardian leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
- All customer cloud environments and data are isolated with a software tenant based isolation. Each customer environment is stored within a dedicated trust zone to prevent any accidental or malicious co-mingling.
- All data is also encrypted at rest and in transmission to prevent any unauthorized access and prevent data breaches. Our entire platform is also continuously monitored by dedicated, highly trained GitGuardian experts.
- We separate each customer's data and our own, utilizing unique encryption keys to ensure data is protected and isolated.
- Client’s data protection complies with SOC 2 standards to encrypt data in transit and at rest, ensuring customer and company data and sensitive information is protected at all times.
- We implement role-based access controls and the principles of least privileged access, and review revoked access as needed.
Our service is built on Amazon Web Services (AWS). They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here:
Data center security
Data center security is part of the services provided by AWS. They have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC 2 compliance.
AWS infrastructure services include back-up power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data.
Learn more about Data Center Controls at AWS.
Network level security monitoring and protection
Our network security architecture consists of multiple security zones. Each environment has its own VPC and each service is isolated on different subnets with strict control through security groups about allowed communication. By default:
- all communication between services are denied
- all communication from a subnet to another are denied
Security groups are regularly reviewed to ensure that only necessary communications are allowed (incoming and outgoing traffic, from inside or outside).
External access to the architecture:
- Administrator access are made through SSH bastions and we store audit access logs
- SSH connections are allowed through signed certificate
- Certificates are issued after a connection to our IDP with 2FA steps
- Access to our bastions are filtered with ACLs
We use AWS Shield in front of our architecture to protect our service from Distributed Denial of Service (DDoS) attacks.
All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). We use the most restrictive TLS policy available from AWS, (ELBSecurityPolicy-FS-1-2-Res-2019-08, details available here, which enable only TLS 1.2.)
All data sent inside our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS) 1.2 only.
All our data (including user data, passwords, etc) is encrypted at rest using battled-proofed encryption algorithms.
Data retention and removal
We don’t retain your data after the end of the service. All data is then completely removed from the dashboard and server.
Every user can request the removal of usage data by contacting support.
Read more about our privacy settings.
Business continuity and disaster recovery
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.
Application security monitoring
We use technologies to monitor exceptions, logs and detect anomalies in our applications.
We collect and store logs to provide an audit trail of our applications activity.
We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
Application security protection
We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
We use security headers to protect our users from attacks.
We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25).
We use the following best practices to ensure the highest level of security in our software:
- All development projects at GitGuardian, including on-premises software products, support services, and our own Digital Identity Cloud offerings follow secure development lifecycle principles.
- All development of new products, tools, and services, and major changes to existing ones, undergo a design review to ensure security requirements are incorporated into proposed development.
- All team members that are regularly involved in any system development undergo annual secure development training in coding or scripting languages that they work with as well as any other relevant training.
We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25).
GitGuardian deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.
- All new systems and services are scanned prior to being deployed to production.
- We perform penetration testing both by internal security engineers and external penetration testing companies on new systems and products or major changes to existing systems, services, and products to ensure a comprehensive and real-world view of our products & environment from multiple perspectives.
- We perform static and dynamic software application security testing of all code, including open source libraries, as part of our software development process.
GitGuardian is committed to providing secure products and services. Our external certifications provide independent assurance of GitGuardian’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices we have in place.
GitGuardian successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that GitGuardian SAS’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.
GitGuardian was audited by Prescient Assurance, a leader in security and compliance certifications for B2B, SAAS companies worldwide. Prescient Assurance is a registered public accounting in the US and Canada and provide risk management and assurance services which includes but not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR etc. An unqualified opinion on a SOC 2 Type II audit report demonstrates to the GitGuardian SAS’s current and future customers that they manage their data with the highest standard of security and compliance.
The SOC 2 report is for limited distribution and shared under non-disclosure agreement (NDA). Please direct all requests to email@example.com
We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply with GDPR.
GitGuardian takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.
- All GitGuardian contractors and employees undergo background checks prior to being engaged or employed by us in accordance with local laws and industry best practices.
- Confidentiality or other types of Non-Disclosure Agreements (NDAs) are signed by all employees, contractors, and others who have a need to access sensitive or internal information.
- We embed the culture of security into our business by conducting employee security training & testing using current and emerging techniques and attack vectors.