As developers, we understand the security of your company’s source code is extremely important. This page describes select measures we employ to ensure your code is safe. If you have any questions, please don’t hesitate to contact us.
datree’s physical infrastructure is hosted and managed within Amazon’s data centers and utilizes the Amazon Web Service (AWS) technology. Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- Sarbanes-Oxley (SOX)
For more info, please see: https://aws.amazon.com/security
Data Encryption in Motion
We use SSL/TLS encryption on our web assets to ensure the highest security and data protection standards. We regularly verify our security certificates and encryption algorithms to keep your data safe.
Data Encryption at Rest
All at-rest sensitive user data is encrypted. We use the industry standard AES-256 encryption algorithm to encrypt your data on our database. Learn more about Encrypting Amazon RDS Resources and Server-Side Encryption with Amazon S3-Managed Encryption Keys.
Vulnerability and Patch Management
Our application infrastructure is based on AWS managed services. AWS is responsible for patching systems supporting the delivery of our services. Learn more about AWS shared responsibility model.
Protected and Tested Backups
Protected and tested backups of our database with 14-day retention. All backups are encrypted. Learn more about Amazon RDS automatic backups.
Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business requirement. Each system is assigned to a firewall security group based on the system’s function. Security groups restrict access to only the ports and protocols required for a system’s specific function.
Learn more about authenticating with Github Apps and identifying and authorizing users for Github Apps. To review GitHub’s security best practices, please see, https://help.github.com/articles/github-security.
Auth0: authentication and authorization as a service
To review Auth0’s security best practices, please see, https://auth0.com/security
Application Secrets Protection
Secrets are stored in a secure encrypted store “at rest” and are accessed with an encrypted connection “in motion”. Encryption keys are rotated. Keys are not stored in the code. Learn more about AWS Systems Manager Parameter Store and AWS KMS.
Our platform is built with several micro-services which are accessible through a centralised API Gateway from the outside world using authentication and authorization mechanisms.
System and Application Log Collection
All system access and customer access logged and tracked for auditing purposes.
We believe that by making our security statement transparent and our status page updated, interested parties will feel more confident about datree’s practices and processes.
We have a 24/7 on-call personnel responsible for incident response.
How does datree access my GitHub account?
When you sign up for datree, you install datree’s Github App on your Github organization or part of it, allowing us to request data from the Github API as a Github App installation, based on the permissions defined by the app, using a temporary token generated by Github and valid for an hour.
We use this access in the following situations, and under no other circumstances than described below:
- To synchronize the repositories you have access to. We use this information to show you the available repositories on your repositories page so you can enable or disable scanning them on the datree platform.
- To access the project code component configuration files(such as package.json, travis.yml, etc.) from your GitHub repository.
- To access the projects git metadata such as user commits and any other git operation.
- To create and update checks and check suites as part of the pull request process
- To create comments on commits
Under no circumstances does datree write or modify source code or Git metadata in your GitHub repositories, source code from your repositories is accessed read-only for the sole purpose of automatically executing the scans.
We only manually access your code when explicitly requested by you and only with explicit consent by you, and only to debug and help solve catalog issues.
How does datree access my source code?
Other than reading datree’s configuration file and your code component configuration files to populate the catalog with data about code components, people and projects, the only time we access your repository directly is when checking out the source code on one of our scan machines.
The source code is only accessed via HTTPS/SSH, using a GitHub token for authentication.
What data do we store from GitHub?
When we finish scanning the repository, we save the repository metadata, code components usage data and organization data. In any case, we don’t save a copy of your codebase.
If you find a bug or security issue on our website, please let us know about it by sending an immediate email to email@example.com (and we will send you a fashionable t-shirt to say thanks!).
If you’d like more detail about our security processes, email firstname.lastname@example.org.
Last updated Sep 26, 2018