Transparency & security are part of our DNA
Table of content
OverviewDedicated Security TeamInfrastructure- Cloud infrastructure- Data center security- Network level security monitoring and protection- DDoS protection- Data encryptionData retention and removalBusiness continuity and disaster recoveryApplication security monitoringApplication security protectionSecure developmentComplianceGDPREmployee acessGitGuardian successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that GitGuardian’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.
GitGuardian helps developers, ops, security and compliance professionals to define and enforce policies consistently and globally across all their entire stack, be it their version control systems, their logs or their cloud systems and applications. Security is part of our DNA along with transparency. We're transparent with our security program so our users can be informed and feel safe using our products and services.
This security overview provides a high-level overview of the security practices put in place at GitGuardian.
Have questions or feedback? Feel free to reach out to us at [security@gitguardian.com]
We have a DevSecOps team dedicated to improving the security of our organization. Our employees are trained on security incident response.
All of our services run in the cloud. We don’t host or run our own servers, switches, routers, load balancers or DNS servers.
GitGuardian provides maximum security with complete customer isolation in a modern, multi-tenant cloud architecture. GitGuardian leverages the native physical and network security features of the cloud service, and relies on the providers to maintain the infrastructure, services, and physical access policies and procedures.
Our service is built on Amazon Web Services (AWS). They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here:
Data center security is part of the services provided by AWS. They have been certified as ISO 27001, PCI/DSS Service Provider Level 1, and/or SOC 2 compliance.
AWS infrastructure services include back-up power, HVAC systems, and fire suppression equipment to help protect servers and ultimately your data.
Learn more about Data Center Controls at AWS.
Our network security architecture consists of multiple security zones. Each environment has its own VPC and each service is isolated on different subnets with strict control through security groups about allowed communication. By default:
Security groups are regularly reviewed to ensure that only necessary communications are allowed (incoming and outgoing traffic, from inside or outside).
External access to the architecture:
We use AWS Shield in front of our architecture to protect our service from Distributed Denial of Service (DDoS) attacks.
All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS). We use the most restrictive TLS policy available from AWS, (ELBSecurityPolicy-FS-1-2-Res-2019-08, details available here, which enable only TLS 1.2.)
All data sent inside our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS) 1.2 only.
All our data (including user data, passwords, etc) is encrypted at rest using battled-proofed encryption algorithms.
We don’t retain your data after the end of the service. All data is then completely removed from the dashboard and server.
Every user can request the removal of usage data by contacting support.
Read more about our privacy settings.
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.
We use technologies to monitor exceptions, logs and detect anomalies in our applications.
We collect and store logs to provide an audit trail of our applications activity.
We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
We use security headers to protect our users from attacks.
We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25).
We use the following best practices to ensure the highest level of security in our software:
We develop following security best practices and frameworks (OWASP Top 10, SANS Top 25).
GitGuardian deploys third party penetration testing and vulnerability scanning of all production and Internet facing systems on a regular basis.
GitGuardian is committed to providing secure products and services. Our external certifications provide independent assurance of GitGuardian’s dedication to protecting our customers by regularly assessing and validating the protections and effective security practices we have in place.
GitGuardian successfully completed the AICPA Service Organization Control (SOC) 2 Type II audit. The audit confirms that GitGuardian SAS’s information security practices, policies, procedures, and operations meet the SOC 2 standards for security.
GitGuardian was audited by Prescient Assurance, a leader in security and compliance certifications for B2B, SAAS companies worldwide. Prescient Assurance is a registered public accounting in the US and Canada and provide risk management and assurance services which includes but not limited to SOC 2, PCI, ISO, NIST, GDPR, CCPA, HIPAA, CSA STAR etc. An unqualified opinion on a SOC 2 Type II audit report demonstrates to the GitGuardian SAS’s current and future customers that they manage their data with the highest standard of security and compliance.
The SOC 2 report is for limited distribution and shared under non-disclosure agreement (NDA). Please direct all requests to contact@gitguardian.com
We’re compliant to the General Data Protection Regulation (GDPR). The purpose of GDPR is to protect the private information of EU citizens and give them more control over their personal data. Contact us for more details on how we comply with GDPR.
GitGuardian takes the security of its data and that of its clients and customers seriously and ensures that only vetted personnel are given access to their resources.