2. Data Disclosure & Transparency
We maintain strict transparency regarding what data we collect, how it's processed, and when it may be disclosed. .git does not scan, index, or sell your source code.
| Data Category | Collected? | h>Disclosure Conditions|
|---|---|---|
| Source Code & Artifacts | No (stored encrypted) | Never disclosed to third parties. Accessed only by authorized team members. |
| Deployment Metadata | Yes (timestamps, success/fail, region) | Anonymized for platform reliability reports. Never tied to code content. |
| Authentication Logs | Yes (IP, MFA status, session duration) | Disclosed only under lawful process or explicit user request for audit. |
| Usage Analytics | Optional (opt-in) | Aggregated, never identifiable. Used solely for UX improvement. |
Lawful Requests: We will always notify affected users before complying with subpoenas or government requests, unless legally prohibited. We publish a semi-annual transparency report.
3. Third-Party Integrations & Data Flow
.git supports 200+ integrations. Data shared with third parties is strictly governed by your configuration and our approved vendor list.
- CI/CD Webhooks: Payloads contain only branch names, commit hashes, and status flags. No source code is transmitted unless explicitly piped by your pipeline config.
- SSO & Identity Providers: We receive only email, name, and group membership. Passwords and 2FA secrets never leave your IdP.
- Analytics & Monitoring: Tools like Datadog, Sentry, or New Relic receive only telemetry you explicitly forward. We do not inject hidden trackers.
- AI Code Assistants: If enabled, snippets are processed in isolated, stateless containers. No training data is retained or exported.
⚠️ Vendor Responsibility
Once data leaves .git's boundary via your configured webhooks or SDKs, it is subject to the third party's privacy policy. We recommend reviewing their data retention practices.
4. Compliance & Legal Frameworks
.git operates under internationally recognized security and privacy standards to ensure your data remains protected across jurisdictions.
- SOC 2 Type II: Annually audited. Reports available to verified enterprise customers.
- GDPR / CCPA: Full data subject rights supported. You may request export, correction, or deletion at any time.
- Data Processing Agreement (DPA): Mandatory for EU/UK customers. Defines controller-processor responsibilities.
- Residency Controls: Enterprise plans allow data sovereignty routing (US, EU, APAC regions).
5. Managing Your Data & Sharing Settings
You retain full ownership and control over your data. Here's how to manage it:
- Export Data: Settings → Account → Data → "Export All" (JSON/CSV + repo snapshots)
- Delete Data: Soft delete retains 30-day recovery window. Hard delete is immediate and irreversible.
- Revoke Access: Organization → Members → Revoke Tokens / Disable SSO mapping
- Audit Logs: View all access, sharing, and configuration changes in the Security Dashboard
6. Frequently Asked Questions
No. Support access requires explicit, time-limited consent from an organization admin. All sessions are logged and cryptographically sealed.
Your data is quarantined for 30 days. You can export or request immediate deletion. After 30 days, all artifacts and metadata are securely wiped from production and backup systems.
Never. .git does not serve ads, sell data, or participate in behavioral tracking networks. Our revenue comes solely from subscription and enterprise licensing.
Contact our Data Protection Officer at privacy@.git.dev or open a security ticket via our portal. We respond within 48 business hours.