Data Sharing & Third Parties

Overview

At .git, we are transparent about how your data is processed, shared, and protected. We only share data with third parties when it is necessary to deliver, improve, or secure our platform, and only under strict contractual and technical safeguards.

We do not sell, rent, or trade your personal or repository data to data brokers, advertisers, or unrelated commercial entities. All third-party interactions are audited regularly and comply with international data protection standards, including GDPR, CCPA, and SOC 2 Type II.

                        Key Principle: Your code, commit history, deployment logs, and account information remain your property. We act as a data processor, not a controller, for your project data. Only explicitly shared or aggregated telemetry is used for platform operations.
                    

Third-Party Categories

We engage third-party service providers across the following functional categories. Each vendor is vetted for security posture, compliance certifications, and data handling practices.

Category	Examples	Data Shared	Purpose
Cloud Infrastructure	AWS, GCP, Cloudflare	Encrypted storage, compute logs, network traffic	Hosting, CDN, DDoS protection
Authentication & Identity	Auth0, Okta, OneLogin	Auth tokens, SSO metadata, session IDs	Secure login, MFA, access management
Analytics & Monitoring	Datadog, Sentry, PostHog	Aggregated usage metrics, error traces, performance stats	Platform reliability, debugging, UX improvements
Communication & Support	Intercom, SendGrid, Slack	Contact info, support tickets, notification preferences	Customer support, service alerts, billing
Compliance & Audit	Vanta, Drata, AWS Audit Manager	Access logs, configuration snapshots, policy records	Regulatory compliance, internal audits

A complete, up-to-date vendor list with security certifications is available in our Security & Trust Center.

Security & Safeguards

Every third-party relationship is governed by legally binding Data Processing Agreements (DPAs) and Business Associate Agreements (BAAs) where applicable. We enforce the following controls:

Encryption: All data in transit uses TLS 1.3+. Data at rest is encrypted with AES-256 or equivalent. Key management follows industry best practices.
Access Restrictions: Third parties receive only the minimum data required for their function. Access is scoped, time-limited, and logged.
Subprocessor Limits: Vendors may not further share your data without explicit consent or contractual obligation.
Regular Audits: We conduct quarterly security reviews and require vendors to maintain active SOC 2, ISO 27001, or equivalent certifications.
Breach Notification: Vendors must report any security incident affecting your data within 24 hours of detection.

Legal Requirements

In rare cases, .git may be required to disclose data to comply with applicable laws, regulations, or valid legal process (e.g., court orders, subpoenas, or government requests). In such cases:

We will review all requests to ensure they are legally valid and as narrowly scoped as possible.
We will notify affected users whenever legally permitted, so you may seek protective remedies.
We will only disclose data strictly required by the legal instrument.
We maintain detailed records of all legal requests and publish transparency reports annually.

                        We oppose overly broad or compelled backdoor access. Your repository integrity and confidentiality are core to our engineering and legal commitments.
                    

Your Controls

You retain full control over your data sharing preferences through the .git dashboard and API:

Telemetry & Analytics: Opt in or out of anonymous usage tracking under Settings → Privacy & Telemetry.
Data Export: Download all project data, logs, and configuration exports in machine-readable JSON/CSV formats.
Access Revocation: Revoke third-party integrations and webhooks instantly via Settings → Connected Apps.
Deletion Requests: Initiate account or repository deletion with a 30-day grace period for recovery.
DPA Access: View and download executed DPAs for all active processors in the Compliance Portal.

Contact & Rights

If you have questions about our data sharing practices, need assistance exercising your data rights, or wish to report a concern, please reach out:

Privacy & Compliance Team: privacy@.git.dev
Data Protection Officer (DPO): dpo@.git.dev
Security Disclosures: security@.git.dev or via our Bug Bounty Program
Mailing Address: .git, Inc. | 100 Developer Blvd, Suite 400 | San Francisco, CA 94107

We respond to all privacy and data access requests within 30 days, in compliance with applicable data protection laws.