🦉 The State of Secrets Sprawl Report 2026 – The year software changed forever

3
Read the report

🦉 The State of Secrets Sprawl Report 2026 – The year software changed forever

3
Read the report

Speak Up Policy

Forward arrow

Back to GitGuardian legal

Table of Contents

  1. Placeholder Link
  2. Placeholder Link

Speak Up Policy

A culture of transparency, speaking out, and reporting of serious concerns are essential elements to deliver legal and financial compliance, and, ultimately, a successful business. 

We encourage openness in the workplace and strive to create an environment where employees feel they can raise concerns without fear of reprisal and are comfortable and empowered to speak up about such concerns.

This Speak Up Policy (the “Policy”) encourages individuals to speak up in a confidential manner on concerns about suspected or actual criminal conduct, unethical conduct, or other misconduct including a (suspected) breach of law by or within GitGuardian.  

1. Scope

This Policy sets out GitGuardian’s approach to protecting whistleblowers with the aim of encouraging and supporting individuals to report concerns. It also provides details on the process for reporting, escalating, handling, and/or investigating and remedying concerns qualifying for protection.

This Policy does not form part of any individual employment contract or terms and conditions of employment. Where it considers it is appropriate to do so, GitGuardian may depart from, replace, cancel, or vary, this Policy from time to time in its absolute discretion. 

This Policy applies to GitGuardian SAS as well as any entity controlled by it (“GitGuardian”). 

2. Eligible whistleblower

This Policy applies to:

  • Members of staff, whether an officer, intern, or employee;
  • A former member of staff; 
  • Job applicants;
  • Shareholders and partners of GitGuardian;
  • Clients or suppliers of GitGuardian;
  • Contractors of GitGuardian and their staff;

These persons are the only possible whistleblowers covered under this Policy (the “Whistleblower”).

3. Reportable Conduct

Reportable Conduct” includes, but is not limited to:

  • Criminal or illegal activity (such as theft, fraud, dishonesty, and corruption); 
  • Breach of national or international law or regulation;
  • Serious breach of internal policy (such as discrimination, harassment, unethical or improper behavior, workplace safety issues); 
  • Bribery;
  • Conduct that endangers the public or the financial system;
  • Any other misconduct or improper state of affairs or circumstances about GitGuardian, or any other conduct which may cause financial or non-financial loss to GitGuardian or otherwise be detrimental to the interests of GitGuardian and its customers, including environmentally unsound practices.

A list of examples of Reportable Conduct is indicated in Annex A.

Reportable Conduct also includes a deliberate concealment of any conduct meeting the above description.

Suspected Reportable Conduct can be reported under this Policy. 

This Policy does not apply to personal work-related grievances. Personal work-related grievances are grievances relating to the discloser's current or former employment or engagement that have implications for that person personally and do not otherwise fall within the scope of Reportable Conduct. For example, an interpersonal conflict between two staff members, or a decision relating to employment or engagement, such as a transfer, promotion, or disciplinary action of the person. For such grievances, employees are encouraged to approach their manager or HRBP directly. 

Nothing in this Policy is intended to prohibit or discourage anyone from reporting perceived wrongdoing to any government agency or regulatory body.

4. Sending the report

GitGuardian encourages Whistleblowers to provide a report with as much detail as possible to ensure it can be fully and promptly handled and/or investigated. Whistleblowers should include at least the following details:

(1) Name, department, or division of the person(s) who committed Reportable Conduct;

(2) Specific details on the Reportable Conduct; 

(3) Reason why Whistleblower has come to consider that Reportable Conduct is committed;

(4) Documentation, information, or any other relevant evidence relating to the Reportable Conduct. 

Whistleblowers may report any Reportable Conducts through any of the following channels:

  • By contacting directly and setting up a meeting with:some text
    • Your manager; 
    • Your HRBP; 
    • VP of People;
    • Another member of the Executive Committee. 
  • By filling up a GoogleForm available here which will be transmitted to the VP People & Culture and the COO. 

It is recommended that, before reporting, Whistleblowers gather as much information, evidence, or relevant documentation as possible, considering one’s personal risk, so that the report can be effectively handled and/or investigated.

Any and all Whistleblowers must send a report on Reportable Conduct in good faith. A Whistleblower who intentionally files a false report of wrongdoing may be subject to disciplinary measures as indicated in Section 8 below. 

5. GitGuardian’s process for handling and investigating reports

GitGuardian handles and/or investigates each and every report received impartially, and without bias or prejudice against the Whistleblower or any other person involved in, or any witness to, the Reportable Conduct.

The Whistleblower is informed in writing of GitGuardian’s receipt of the report within 7 business days.

The specific steps taken to handle and/or investigate a report depend on its nature. 

Upon receiving a report, GitGuardian will determine the nature of the Reportable Conduct by taking into account different factors such as, but not limited to:

  • Whether it relates to a potential breach of applicable law or regulation;
  • The potential consequence and/or exposure for GitGuardian;
  • Whether the alleged Reportable Conduct is ongoing or not, and/or
  • The nature of any technical, financial, or legal advice that may be required to support the handling and/or investigation of the report.

The handling and/or investigative team may examine evidence, such as relevant documents, records, or data, to determine whether there is credible information indicating whether or not the Reportable Conduct has occurred. 

The handling and/or investigative team may conduct interviews with relevant people to obtain testimonial evidence relevant to the Reportable Conduct. GitGuardian may need to contact the Whistleblower to obtain further information and/or evidence. However, sometimes this is not possible (e.g. where a Whistleblower does not respond to requests for further information and/or refuses to answer questions that he or she believes could reveal his or her identity). The team handling and/or investigating the report on the Reportable Conduct may determine the appropriate time to inform the individual(s) who are the subject of the Reportable Conduct. In some circumstances, informing these individuals may compromise the effectiveness of the handling and/or investigation of the report. 

GitGuardian aims to complete the handling and/or investigation of reports received through the above channels promptly. However, circumstances such as the complexity of the situation surrounding the report, the sensitivity of the Reportable Conduct, competing priorities and other compelling reasons may justify an extended period for the completion of the handling and/or investigation of a given report.

The Whistleblower is also informed in writing within a reasonable time of any measures planned or taken. This period may not, in any case, exceed 3 months and 7 business days.

Where possible and if appropriate, the Whistleblower will receive updates on the status and/or the outcome of the handling and/or investigation of the report. 

Remediation and recommendations may be identified during the handling and/or investigation. This might include control changes, disciplinary action, and/or sanctions. 

GitGuardian is not obliged to reopen the handling and/or investigation of the report. However, if GitGuardian believes that the handling and/or investigation was not conducted properly, or if new information becomes available that was not considered, the Whistleblower should report this information as set out in this Policy. 

6. Confidentiality and Protecting a Whistleblower’s identity

If a Whistleblower discloses his or her identity, the person receiving the report will:

  • Treat the Whistleblower’s identity confidentially; and
  • Always ask whether the Whistleblower consents to GitGuardian disclosing his or her identity to persons who may be involved in: some text
    • handling and/or investigating the report,
    • taking disciplinary action based on the outcome of the handling and/or investigation, or
    • making other decisions in relation to the Reportable Conduct.

The Whistleblower is under no obligation to provide his or her consent but is encouraged to do so as it best enables GitGuardian to fully handle and/or investigate the report and take appropriate action. 

Individuals involved in the handling and/ or investigation of the report will not share any information relating to the report or the Reportable Conduct that is likely to lead to the Whistleblower’s identification without his or her consent, unless it is necessary to pass on such information for the purposes of handling and/or investigating the report in which case they will take all reasonable steps to reduce the risk that the Whistleblower will be identified as a result of the handling and/or investigation.

Whistleblowers may submit reports anonymously without disclosing their identity through one of the above channels. However, proper handling and/or investigation of an anonymous report is more difficult, and sometimes impossible, if GitGuardian does not know the Whistleblower’s identity.

7. Protecting a Whistleblower against retaliation

GitGuardian will not tolerate retaliation against a Whistleblower. 

GitGuardian is committed to protecting Whistleblowers and other individuals from retaliation. If a Whistleblower wants to send a report following the above channels on Reportable Conduct, he or she will be protected from retaliation as required under this Policy and by applicable law. 

Retaliation is any actual or threatened detriment (whether the threat is express or implied, conditional or unconditional) which a Whistleblower may suffer because he or she has, or has proposed to, send a report on Reportable Conduct. 

Retaliation may include, but is not limited to: 

  • Dismissal;
  • adverse impact on employment;
  • alteration of duties to his or her disadvantage;
  • discrimination between the Whistleblower and other individuals;
  • harassment or intimidation;
  • harm or injury, including psychological harm;
  • damage to property. 

Anyone engaged in retaliation may face serious internal - and potentially external - consequences under applicable legislation or regulations. If GitGuardian identifies anyone involved in retaliation, these individuals will be subject to disciplinary action, which may include dismissal. 

8. Disciplinary measures

A Whistleblower will not be subject to any disciplinary sanctions when sending an report in good faith, even if the allegations are incomplete or prove to be incorrect and unsubstantiated.

It should nevertheless be noted that this protection does not cover reports sent in bad faith, for instance by deliberately supplying false and incorrect information, or made maliciously, which may trigger disciplinary sanctions as well as legal sanctions in accordance with applicable law. 

9. Document retention 

The VP People & Culture will maintain a record of all reports, tracking their receipt, investigation and resolution. Reports, as well as any supporting evidence will be maintained for a minimum of 5 years from the closing of the investigation, except where otherwise required by local law. 

10. Personal Data 

For more information on how GitGuardian collects Personal Data of Whistleblowers when GitGuardian receives a report and how and why GitGuardian uses that Personal Data in handling and/or investigating a report, please read Annexe B.

11. Training

Communication and training are implemented and regularly given to new and old employees at GitGuardian so that this Policy is fully understood.

12. Monitoring and review of this Policy

The VP of People & Culture of GitGuardian is responsible for overseeing the implementation of this Policy, and will receive regular reports regarding concerns reported and the investigation of such concerns.

GitGuardian will review this Policy periodically to confirm that it is operating effectively and consider whether any changes are required.

GitGuardian may amend this Policy from time to time.

Policy owner: Grégory Leyne

Policy approver: Timothée d’Arco

Version: 1.0

Date (last updated): 28.05.2024

Annex A - Examples of Reportable Conduct

  1. Corruption

Whenever someone unduly offers or promises – directly or indirectly – any form of benefit to someone else, so that the recipient of the benefit does or refrains from doing something in the context of his/her professional activity. 

The notion of corruption applies to:

(i) People working in the public sector, such as those who have been elected to public office; or

(ii) People working in the private sector and holding managerial or supervisory roles, regardless of whether these duties are performed for other people or legal entities.

The “corruption” can be active (i.e., the person proposing, offering, or promising) or passive (i.e., the person accepting the promise or the offer). Both behaviors may be prosecuted by authorities.

Examples:

  • Paying a bribe to an officer to ensure that he or she releases a license or permit quicker.
  • Accepting a free vacation offered by a supplier as a reward for having placed an order with that supplier.
  • Inviting a client, as well as his/her spouse/partner to stay, for example, at a luxury hotel so that better sales terms and conditions can be agreed on.
  1. Influence Peddling

Whenever someone unduly promises or offers – directly or indirectly – any form of benefit to a person working in the public sector and entrusted with a public service mission so that individual improperly uses his/her influence, whether actual or supposed, to secure a favorable decision from a public authority or administration.

Example: 

Offering, giving, or promising a financial reward or any other benefit to a public official in order for them to influence another person’s decision in favor of GitGuardian for a tender.

  1. Theft

The fraudulent removal or appropriation of property belonging to another person without his/her permission or consent.

  1. Sexual Harassment

Repeatedly subjecting a person to sexually connoted comments or behavior that are detrimental to the person’s dignity due to their degrading or humiliating nature or creating an intimidating, hostile, or offensive situation for him/her.

Sexual harassment is also when the same employee suffers such comments or behaviors coming from multiple people, concerted or at the instigation of others, regardless of whether each of these individuals has not repeatedly engaged in the act or if the comments or behavior successively come from multiple people who, without doing so together, know that these comments or behavior are repeated.

Any form of serious pressure, even if not repeated, exercised with the real or apparent aim of obtaining any act of a sexual nature, regardless of whether it is sought for the benefit of the

author of the facts or a third party constitutes sexual harassment.

Examples: 

  • Making comments about his/her anatomy.
  • Attempting to obtain sexual favors.
  • Taking professional retaliatory measures.
  • Having insulting behavior towards a colleague consisting of insults and remarks of a sexually loaded nature and inappropriate gestures.
  1. Sexist Conduct

Any act linked to the sex/gender of a person aimed at or resulting in attacking that person’s dignity or creating an intimidating, hostile, degrading, humiliating, or offensive environment.

Examples: 

  • Making sexist comments, including sexist jokes.
  • Showing signs of incivility, such as giving nicknames to colleagues in relation to their sex/gender, ignoring legitimate requests from a colleague related to his/her sex/gender, and addressing colleagues in unprofessional and infantilizing terms.
  • Only valuing a colleague by praising the qualities linked to his/her gender.
  1. Moral Harassment

Repeated acts towards a colleague, the purpose or outcome of which is a deterioration of the colleague’s working conditions that could lead to violating his/her rights and his/her dignity, to altering his/her physical or mental health, or to compromising his/her professional future.

Examples: 

  • Humiliation
  • Degradation
  • Bullying or unjustified critiques
  • Oppressive measures
  • Aggressiveness
  • Isolation
  • Unjustified disciplinary pressure

Annex B - Whistleblowing Privacy Notice

At GitGuardian, we care about your privacy and are committed to protect your Personal Data in accordance with all applicable data protection laws and regulations. 

This Whistleblowing Privacy Notice (the “Notice”) provides information about how GitGuardian SAS and GitGuardian Inc. (collectively referred to as “GitGuardian”, “we”, “our”, “us”) collect Personal Data about you (“You” or “your”) when we receive a report and how and why we use that Personal Data in the course of our whistleblowing process.

Please carefully read and fully understand this Notice before submitting your Personal Data to us.

The Notice explains: 

  1. Personal Data we collect
  2. Use of your Personal Data
  3. Legal bases we rely on to process your Personal Data
  4. How we share your Personal Data
  5. How we safeguard your Personal Data
  6. How long we keep your Personal Data
  7. How your Personal Data is transferred internationally
  8. How You can exercise your data subject rights
  9. Cookies
  10. Update of the Notice
  11. Contact us

Please note that this Notice covers data regarding:

  • the Whistleblower;
  • Persons targeted in the report (the “Reported Person”);
  • Persons involved in the report or in the investigation process (the “Witness”).

The provision of your Personal Data is necessary in order to process your data with regard to our whistleblowing process. If You do not provide your Personal Data, we might not be able to process your request.

Identity and contact details of the Data Controllers

GitGuardan SAS is a company headquartered in France, at the registered address 54 rue de Seine 75006 Paris, France, with a US affiliate, GitGuardian Inc., based at 185 Alewife Brook Parkway Ste 210 Cambridge MA 02138.

When we say “GitGuardian” we’re referring to the GitGuardian entities that control and are responsible for your Personal Data.

1. Personal Data we collect

For the purpose of this Notice, “Personal Data” refers to the information that identifies, relates to, and describes or is reasonably capable of being associated with or being linked (directly or indirectly) to You.

Personal Data is processed in the event that a Whistleblower reports information as indicated and authorized under the Policy. 

In connection with our whistleblowing process, we may collect, use, and store Personal Data, either:

  • directly from You when You submit your data through a report in the course of an interview or testimony, or 
  • from third parties with your approval. For example, we may obtain Personal Data about You through Witnesses’ interviews.
Type fof Personal Data Examples
Identification and contact information Full name, email address, physical address, telephone number
Professional and employment informationProfessional contact, company name, job position, department
Information related to the report Facts reported and their verification elements, report on verification operations, action taken on the report, follow-ups, etc.

Regarding sensitive information, please note that we may collect or process Personal Data that reveals your government identifiers, financial accounts, racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data, trade union membership, or information about your health/sex life/sexual orientation, as well as data relating to offenses, convictions and security measures concerning natural persons, depending on the nature and severity of the report. (“Sensitive Personal Data”).

Applicable only to data subjects in the US:

Depending on how You interact with us, the following categories of Personal Data may be collected and disclosed in the preceding 12 months:

Identifiers, including name, email address, and telephone number;

Audio, electronic, visual, or similar information, including photographs;

Professional or employment-related information; 

Commercial information.

We do not infer characteristics using Sensitive Personal Data and do not use Sensitive Personal Data beyond the limited purposes permitted by local laws, including the California Consumer Privacy Act.

2. Use of your Personal Data

Your Personal Data is used to process reports in the scope of our whistleblowing process, and more specifically: 

  • collect and process reports; 
  • carry out the necessary verifications, investigations, and analyses; 
  • determine the follow-up to be given to the report; 
  • ensure the protection of the persons concerned, and in particular ensure confidentiality of the identity of the author of the report and subsequent exchanges with him or her but also the facts reported and the persons targeted; 
  • exercise or defend legal rights. 

3. Legal bases we rely on to process your Personal Data

We process your Personal Data based on the following:

  • our legal basis of the legal and regulatory obligations of GitGuardian as an employer, such as the compliance with labor laws, the French Sapin II Law or the Duty of Vigilance Act,
  • our legitimate interest to ensure to take charge for the alert or report, subject to not disregarding the interest or the fundamental rights and freedoms of the person concerned.

In addition, information relating to the protection of personal data is delivered specifically to the person referred to in the report, within a reasonable period not exceeding one month following receipt of the report, and by any suitable means. However, this information may be deferred if it is likely to compromise the achievement of the treatment objectives seriously. Thus, this information will only occur after precautionary measures have been taken to prevent the destruction of evidence relating to the facts reported and after having established the admissibility of the report.

With regard to Sensitive Personal Data, as part of the whistleblowing process, this data will only be collected and processed when the whistleblowing process meets an important public interest (within the meaning of Article 9.2.g of the GDPR) or is necessary, where applicable, for the establishment, exercise or defense of a legal right (e.g. specific provisions of French law, such as articles 8 or 17 of the “Sapin 2” law;  or to allow the person responsible to treatment to prepare and, where applicable, to exercise and follow legal action as a victim, accused, or on behalf of them”, in accordance with article 46-3° of the French law ‘Loi Informatique et Libertés’ as amended).

4. How we share your Personal Data

We do not sell your Personal Data to third parties. We also do not share your Personal Data to third parties for cross-context behavioral advertising. 

Internally, your Personal Data will be shared, on a need-to-know basis, with people in charge of the collection and management reports within GitGuardian.

With regard to external third parties, we endeavor to take appropriate steps to ensure that any third party who receives your Personal Data is bound to maintain its confidentiality. We may share information to:

  • Service providers to whom we may subcontract the management of certain activities, 
  • Experts commissioned for the purposes of the investigation, 
  • Administrative and judicial authority, where applicable.

6. How we safeguard your Personal Data

GitGuardian has implemented and continues maintaining all appropriate technical and organizational measures to protect your Personal Data and ensure the confidentiality, integrity, availability, and resilience of all our processing systems and services. We aim to continuously improve our physical, digital, and procedural safeguards to prevent any unauthorized access, disclosure, use, modification, damage, or loss of your Personal Data.  

6. How long we keep your Personal Data

Unless otherwise required or permitted by applicable laws and regulations, we endeavor not to retain your Personal Data for longer than it takes to complete the whistleblowing process.

The duration of data retention depends on the status of the report: we have the two following scenarios.

1) Reports received are kept until a final decision is made on the action to be taken;

2) When a final decision on the follow-up to be given to the report is taken, we have three sub-scenarios:

Case Retention period
The report is not admissible because it does not fall within the scope of the whistleblowing system Personal Data are kept for a period of three (3) months from the date on which the Reporter is informed of the inadmissibility of his report, in order to deal with any questions the author of the report may have regarding this decision.
 The report is admissible and results in no further action being taken or gives rise to non-disciplinary or non-judicial action Personal Data are kept for a period of one (1) year from the decision, in order to meet the following purposes: 
  • ensure the protection of the various stakeholders (author, facilitator, person mentioned or targeted in the report) against the risk of reprisals;
  • allow possible additional investigations;
  • provide evidence on the processing of the report in the event of litigation or subsequent checks on the conformity of the process of processing the reports (audit, authority).
 The report is admissible and gives rise to disciplinary or legal action against the Reported Person or against the author of an abusive behavior Personal Data are kept until the end of the procedure or the limitation period for appeals against the decision.

Beyond these retention periods, the data is anonymized or deleted.

7. How your data is transferred internationally

All your Personal Data is stored primarily within the European Economic Area. 

We may share your Personal Data with our US office when our US office employees are concerned,  that may be based outside of the European Economic Area. 

If your Personal Data is processed by us outside of the European Economic Area, we have taken suitable measures to ensure that your Personal Data is transferred in accordance with applicable data protection law, including, for example, to countries that adequately safeguard personal data as approved by the European Commission, or under the European Commission-approved Standard Contractual Clauses. 

Further information about the appropriate safeguards may be obtained by contacting us at legal@gitguardian.com.

8. How you can exercise your data subject rights

Through the whistleblowing process, You should ensure that all Personal Data You submit is accurate and complete. If you are unable to provide accurate and complete information for any reason or are unwilling to submit the Personal Data required for a specific position, we may not be able to process the report. 

In accordance with applicable laws and regulations, you have the following rights to your Personal Data:

Your rights Description
Right of access (art. 15 GDPR) You can request a confirmation as to whether or not your Personal Data is processed and you can, where applicable, receive a copy of your Personal Data.
Right of rectification (art. 16 GDPR) You can have your inaccurate Personal Data corrected and incomplete Personal Data completed.
Right of erasure (art. 17 GDPR) You can have your Personal Data erased under certain conditions.
Right to restrict processing (art. 18 GDPR) You can require us to restrict the processing of your Personal Data under certain conditions.
Right of portability (art. 20 GDPR) You can receive certain Personal Data that you provided in a machine-readable format under certain requirements.
Right to object (art. 21 GDPR) You can object to the processing of your Personal Data for certain purposes such as direct marketing.
Withdraw consent (art. 7 GDPR) You can withdraw consent to the processing of your Personal Data.
Right to lodge a complaint (art. 15 GDPR) If you think that the way we process your Personal Data does not comply with applicable data protection laws, you can contact the relevant competent data protection authority. GitGuardian’s lead supervisory authority under GDPR is the French Data Protection Authority CNIL (https://www.cnil.fr/fr/plaintes) 
Right to set post-mortem guidelines You may define specific guidelines for the storage, erasure, and communication of your Personal Data after your death. These specific guidelines will only concern the treatments implemented by us and will be limited to this perimeter alone.
Applicable to data subjects of GitGuardian in the state of California, as per California Consumer Privacy Act (“CCPA”): right to non-discrimination You have the right not to receive discriminatory treatment because you have exercised any of your rights under the CCPA

Before we accede to such a request, we may need to verify your identity. To ensure security and traceability, you may be asked to submit a written request. We always ensure we will promptly respond to such requests. 

To make such a request, please click here or write to legal@gitguardian.com

We may decline to process or limit certain requests under certain circumstances, e.g. if they are manifestly unfounded or excessive, or if they adversely affect the rights and freedoms of others. 

9. Cookies

If you apply through GitGuardian’s website, please note that your use of any of our services or website is also governed by our general Privacy Policy (https://www.gitguardian.com/legal/privacy-policy) and Cookie Policy (https://www.gitguardian.com/legal/cookie-policy).

10. Update of the Notice

GitGuardian reserves the right to update or change this Notice at any time. You are informed of the date of the last update at the top of this Notice. We will keep the Notice up to date with any changes.

11. Contact us

Should you have any questions or concerns about this Notice or your privacy, please contact us at legal@gitguardian.com.

Subscribe to our newsletter

Receive the latest content and updates from GitGuardian.

I agree to GitGuardian’s Privacy Policy

Thank you! Your subscription has been registered!
Oops! Something went wrong while submitting the form.

Platform

Internal Secrets Monitoring
Public Secrets Monitoring
NHI Governance
Integrations
Compare GitGuardian
Pricing
Value Calculator

Explore

Good Samaritan
Labs
Events
Security Champions
GitHub Security Audit
GitGuardian CLI
GitGuardian Scout

Resources

Blog
Learning Center
State of Secrets Sprawl
Roadmap
Documentation
API
Status

Company

About us
Community
Careers
Newsroom
Partners
Legal

Connect

Contact us
LinkedIn
Youtube
GitHub
Facebook
X (Twitter)