- We are using cloud providers (Amazon AWS and Digital Ocean) to run our backend.
- We are using Heroku to run our frontend.
- All communication between services is encrypted with SSL.
We keep everything safely in the cloud.
Software, file systems and communication
The codebeat website access is restricted to HTTPS connections. We do not use passwords for authentication - all private source code is transmitted over SSH connections authenticated with SSH keys. Each project in codebeat is assigned a unique SSH key which is added to the Git server as a "deploy key". At codebeat we never execute the source code you add to our application.
We do not store user passwords so no-one (even our team) can read them. However, it is your responsibility to protect your password as you use it to access codebeat services. For extra comfort and security we recommend using an external identity provider to log in to codebeat. Both currently supported providers (GitHub or Bitbucket) offer optional two-factor authentication.
Passwords to linked services like GitHub or Bitbucket are not stored by us as we use integration via either OAuth or API keys.
We have adapted GitHub’s security procedures when it comes to the encryption of source code. Like GitHub we do not do it. Instead, we focus on and put great effort into making our machines and network as secure as possible.
We keep your data on codebeat's production servers until you delete them. It is done when you delete an individual repository or if you remove the account and it's repositories. In case you delete something by accident we keep backup data so that we are able to restore it for you; we do not delete the backup data, but keep it as secure as the production servers data.
We encrypt everything. We delete everything you delete.
Our team has no access to your source code. When you request support and our support staff must access source code in order to address your issue, we will always explicitly obtain your explicit consent, except when responding to a critical security issue or suspected abuse. In such case we will retroactively inform you about actions taken.
We do our best to respect your privacy as much as possible and access only the minimum files and settings needed to resolve your issue. We do not give our staff direct access so repository copying is not possible.
Our people do not have access to your data.
Credit cards, online transactions
For credit card operations we use Braintree, a company dedicated to handling online card transactions. Braintree is certified to PCI Service Provider Level 1, the most stringent level of certification available. Braintree's security information is available online. We do not store your credit card data on our servers in any form.