- We are using cloud providers (Amazon AWS and OVH) to run our backend.
- We are also using Heroku to run our frontend.
- All communication between services is encrypted with SSL.
We keep everything safely in the cloud.
Software, file systems and communication
The codebeat website access is restricted to HTTPS connections. We do not use passwords for authentication - all private source code is transmitted over SSH connections authenticated with SSH keys. Each project in codebeat is assigned a unique SSH key which is added to the Git server as a "deploy key". At codebeat we never execute the source code you add to our application.
We do not store user passwords so no-one (even our team) can read them. However, it is your responsibility to protect your password as you use it to access codebeat services. For extra comfort and security we recommend using an external identity provider to log in to codebeat. Both currently supported providers (GitHub or Bitbucket) offer optional two-factor authentication.
Passwords to linked services like GitHub or Bitbucket are not stored by us as we use integration via either OAuth or API keys.
We encrypt source code, OAuth credentials and any personally identifiable information using strong, industry-standard encryption.
We keep your data on codebeat's production servers until you delete them. It is done when you delete an individual repository or if you remove the account and it's repositories. In case you delete something by accident we keep backup data so that we are able to restore it for you; we do not delete the backup data, but keep it as secure as the production servers data.
We encrypt everything. We delete everything you delete.
Our team has no access to your source code. When you request support and our support staff must access source code in order to address your issue, we will always explicitly obtain your explicit consent, except when responding to a critical security issue or suspected abuse. In such case we will retroactively inform you about actions taken.
We do our best to respect your privacy as much as possible and access only the minimum files and settings needed to resolve your issue. We do not give our staff direct access so repository copying is not possible.
Our people do not have access to your data.
Credit cards, online transactions
For credit card operations we use Braintree, a company dedicated to handling online card transactions. Braintree is certified to PCI Service Provider Level 1, the most stringent level of certification available. Braintree's security information is available online. We do not store your credit card data on our servers in any form.