Data & Security Policy

How .git collects, processes, secures, and protects your code, deployment data, and account information.

Last Updated: October 15, 2025 Version: 3.2.0 Coverage: Global
← Back to Platform

01 Introduction & Scope

This Data & Security Policy governs how .git ("we", "our", or "us") handles information collected through our developer platform, CI/CD pipelines, edge deployment network, and administrative interfaces. By using .git services, you acknowledge that you have read and understood this policy.

This policy applies to all individual developers, open-source maintainers, commercial teams, and enterprise organizations utilizing .git infrastructure, APIs, and support channels.

02 Data We Collect

We collect only what is necessary to operate, secure, and improve your development workflow. Data is categorized as follows:

  • Account & Identity Data: Email, name, SSO provider tokens, role assignments, and 2FA/MFA enrollment status.
  • Repository & Code Metadata: Commit hashes, branch names, file trees, diff summaries, and dependency manifests. We do not store raw source code beyond transient pipeline execution.
  • Deployment & Runtime Logs: Build outputs, test results, error traces, CDN cache metrics, and deployment manifests.
  • Usage & Telemetry: API request volumes, pipeline execution times, feature adoption metrics, and anonymous crash reports.
Note: Source code is never used for model training, advertising, or shared with unrelated accounts. All code processing occurs in isolated, ephemeral containers.

03 How We Use Your Data

Data collected through .git services is processed strictly for the following purposes:

  • Executing and automating CI/CD pipelines on your behalf
  • Provisioning and managing edge deployments and infrastructure
  • Providing analytics, performance monitoring, and error tracking
  • Enforcing security policies, rate limiting, and abuse prevention
  • Improving platform reliability, build speeds, and developer experience

We may aggregate and anonymize usage metrics to publish platform reliability reports and benchmark improvements. No personally identifiable information (PII) or proprietary code is included in aggregate datasets.

04 Security & Infrastructure

.git operates on a zero-trust architecture with defense-in-depth principles:

  • Encryption: AES-256 at rest, TLS 1.3 in transit. Secrets and environment variables are encrypted using KMS with customer-managed or .git-managed keys.
  • Isolation: Each build and deployment runs in ephemeral, sandboxed containers with network segmentation and strict resource quotas.
  • Access Control: RBAC/ABAC policies, mandatory SSO for enterprise tiers, hardware-backed 2FA, and short-lived JWT/session tokens.
  • Monitoring: 24/7 SOC monitoring, automated threat detection, immutable audit logs, and real-time anomaly alerting.

05 Third-Party & Webhooks

.git integrates with GitHub, GitLab, Bitbucket, Slack, Datadog, Vercel, AWS, GCP, Azure, and 200+ other services. When you configure integrations:

  • We only request the minimum OAuth scopes required for functionality
  • Webhook payloads are signed with HMAC-SHA256 to prevent tampering
  • Third-party processors are bound by Data Processing Agreements (DPAs) compliant with GDPR, CCPA, and SOC 2

You retain full control over which services receive data and can revoke integrations instantly from your security dashboard.

06 Retention & Deletion

We retain data only as long as necessary to provide services and comply with legal obligations:

  • Pipeline Logs: 30 days (standard), 90 days (Pro/Enterprise)
  • Deployment Artifacts: Until explicitly purged or replaced by newer versions
  • Audit & Security Logs: 12 months minimum, up to 7 years for enterprise compliance tiers
  • Account Data: Deleted within 30 days of account termination, except where legal hold applies

You may request immediate deletion of non-essential data via the Privacy Center or by contacting our DPO.

07 Your Rights & Controls

Depending on your jurisdiction, you may have the right to:

  • Access, export, or correct your personal and account data
  • Restrict processing or object to automated decision-making
  • Request deletion of data without undue delay
  • Port your data to another compatible platform
  • Withdraw consent for optional telemetry and analytics

All requests are processed within 30 calendar days. Enterprise teams may manage these rights at scale via SCIM, API, or delegated admin roles.

08 Compliance & Certifications

.git maintains continuous compliance with industry and regulatory standards:

  • SOC 2 Type II (Annual audit, restricted report available upon request)
  • ISO 27001 & 27018 (Cloud privacy & information security)
  • GDPR & CCPA/CPRA (Global privacy frameworks)
  • PCI DSS Level 1 (For payment-related add-ons)

Subprocessors and third-party vendors are reviewed quarterly. Full vendor list and compliance attestations are available in our Trust Center.

09 Policy Updates

We may update this policy to reflect changes in technology, security practices, or legal requirements. Material changes will be communicated via:

  • In-app notifications and dashboard banners
  • Administrative email to account owners and delegates
  • Version history tracked in our public changelog

Continued use of .git services after 30 days of notification constitutes acceptance of the updated policy.

10 Contact & DPO

For questions, data subject requests, or security reports, please contact:

Disclaimer: This document is a template for demonstration purposes. For legal implementation, consult qualified counsel and adapt to your jurisdiction and business requirements.