Security You Can Verify

Read-only access. Encrypted data. Transparent practices. No surprises.

SOC 2 Type II GDPR Compliant ISO 27001

Minimum Permissions, Maximum Trust

GitSense requests only read-only access to your repos via OAuth. We never ask for write permissions. You can verify this in your GitHub/GitLab settings at any time.

  • Read-only access to code, PRs, commits, and issues
  • No write permissions—we can't modify your code or settings
  • Revocable anytime from your GitHub/GitLab account settings
  • Granular repo selection—choose which repos GitSense can access
Verify yourself: Check Settings → Applications → GitSense in GitHub to see exact permissions.

What We Store (and What We Don't)

Your code is analyzed in-transit and never stored permanently. We retain only metadata and insights needed to provide GitSense features.

What We Store

  • PR metadata (title, author, timestamps)
  • Commit messages and file paths
  • Generated summaries and risk scores
  • Repo structure (file tree, dependencies)
  • User preferences and settings

What We Don't Store

  • Full source code files
  • Secrets, API keys, or credentials
  • Customer data from your application
  • Git history beyond metadata
  • Any PII from code comments
Data retention: Insights are kept for 90 days. You can request deletion anytime via Settings.

Encryption at Every Layer

Data is encrypted in transit and at rest using industry-standard protocols. We follow OWASP guidelines and conduct regular security audits.

  • TLS 1.3 for all data in transit (API calls, webhooks)
  • AES-256 encryption for data at rest (database, backups)
  • Encrypted backups with separate key management
  • Secrets management via HashiCorp Vault (no hardcoded keys)

Secure Infrastructure & Isolation

GitSense runs on hardened infrastructure with network isolation, DDoS protection, and 24/7 monitoring. Enterprise customers can opt for self-hosted deployment.

  • Multi-tenant isolation—your data is logically separated from other customers
  • DDoS protection and rate limiting on all endpoints
  • Automated patching for OS and dependencies within 48 hours of CVE disclosure
  • Self-hosted option for Enterprise (deploy in your VPC/on-prem)

Compliance & Certifications

GitSense undergoes regular third-party audits and maintains compliance with industry standards. Audit reports available to Enterprise customers under NDA.

SOC 2 Type II

Annual audit covering security, availability, and confidentiality. Last audit: Q4 2023.

GDPR

Full compliance with EU data protection regulations. Data processing agreements available.

ISO 27001

Information security management system certified. Recertified annually.

CCPA

California Consumer Privacy Act compliant. User data rights honored within 48 hours.

Monitoring, Logging & Incident Response

We log all access and changes for audit trails. Security incidents are detected, contained, and disclosed according to our incident response plan.

  • Audit logs for all API access, retained for 1 year
  • Real-time alerting for anomalous access patterns
  • Incident response plan with <4 hour detection, <24 hour disclosure
  • Bug bounty program via HackerOne (responsible disclosure)

Have Security Questions?

We're transparent about our practices. If you have questions or need to report a vulnerability, contact us.

security@git-sense.dev View Security Docs