We engineer security into the foundation of .git. Zero-trust architecture, end-to-end encryption, and continuous auditing protect your codebase and team.
Our security model is designed around defense-in-depth, least privilege, and continuous verification.
Every request is authenticated, authorized, and encrypted. No implicit trust between services, users, or network segments.
Data encrypted in transit (TLS 1.3) and at rest (AES-256). Customer-managed keys available for enterprise plans.
Automated SAST, DAST, and dependency scanning across all repos. Critical CVEs patched within 24 hours.
Every action logged to an append-only, tamper-evident ledger. Export to SIEM or query in real-time.
SIGSTORE signing, SBOM generation, and dependency pinning to prevent malicious package injection.
Granular RBAC, SSO/SAML, SCIM provisioning, and just-in-time access with automatic session revocation.
Our infrastructure follows industry-leading security baselines and automated compliance enforcement.
We maintain compliance with global standards to ensure your data meets the highest regulatory requirements.
Annual audits by independent CPA firms covering security, availability, and confidentiality.
Internationally recognized information security management system (ISMS) certification.
Full data subject rights support, regional data residency, and DPA templates for customers.
BAA available for covered entities. PHI handled with encryption and strict access controls.
We welcome responsible disclosure of security vulnerabilities. Our VDP ensures researchers are rewarded and issues are resolved quickly.
Submit findings via our secure portal or email security@git.dev
Our security team acknowledges receipt within 24 hours
Issues patched based on severity. Critical fixes deployed within 72h
Hall of Fame listing & bounty rewards for valid reports
Scope: *.git.dev, api.git.dev, git.dev, and all hosted infrastructure. Out of scope: phishing, DDoS, social engineering.
Our IR process is practiced, documented, and continuously improved through post-mortems.
24/7 monitoring with automated anomaly detection. Critical alerts route to on-call engineers within minutes.
Pre-approved response procedures for common scenarios. Regular tabletop exercises to maintain readiness.
Transparent, timely updates via status page and direct channels. No hidden outages or silent failures.
Blameless post-mortems within 5 business days. Action items tracked to closure with public updates.
Data is stored in geo-redundant AWS regions (US-EAST-1, EU-WEST-1, AP-SOUTH-1). Enterprise customers can select data residency. All storage is encrypted at rest with AES-256.
Yes. Enterprise plans support Customer-Managed Keys (CMK) via AWS KMS or HashiCorp Vault. You retain full control over key rotation and revocation.
All dependencies are scanned via Snyk and Dependabot. We maintain a locked vendor directory and require dual-approval for new third-party integrations.
We follow a defined IR lifecycle: Detect โ Contain โ Eradicate โ Recover โ Learn. Customers are notified via status.git.dev and direct email for incidents affecting their data.
Yes. Pro and Enterprise plans include SAML 2.0 SSO, SCIM 2.0 for automated user provisioning, and just-in-time access provisioning.
Our security team is available to answer technical questions, review architectures, or discuss custom compliance requirements.