We process your personal data in compliance with GDPR, only for specified and legitimate purposes, fairly, and in a transparent manner. Bitrise ensures the appropriate security of the personal data of its users, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Bitrise has undergone comprehensive SOC2 Type II auditing to demonstrate our Information Systems Management System (ISMS) complies with all relevant laws, regulations and best practices to ensure we manage data in a way that secures and protects clients and individual interests.
The SOC2 report is available upon request by contacting us here: https://www.bitrise.io/contact
To protect our clients' builds, we use virtual machines isolated by firewalls and the underlying hypervisor layer. Each build runs on a dedicated, separated, clean virtual machine which is securely destroyed, destroying every file the build used, after the build finishes, including deletion of every file the build used.
We do not store customers' source code. Source code is only accessed on the ephemeral virtual machines if your Bitrise workflow configuration allows it and, if there are no Git Clone steps in the configuration, the source code cannot be accessed at all. Source code is always delivered to the VMs through secure channels, such as SSH and TLS.
Bitrise features several secure authentication methods, such as SAML SSO, GitHub, GitLab, Bitbucket SSO, two-factor authentication, and complex password requirements. We maintain a strict access-control process requiring all employees to submit access requests and go through a documented review and approval procedure. Access is granted on a need-to-know basis.
Bitrise is considered to be a sole data controller under the GDPR, as opposed to a data processor. It is generally accepted by both the European Data Protection Board and the Information Commissioner’s Office pursuant to the available guidelines that when a cloud service provider, such as Bitrise, processes personal data solely for customer support, billing, and other back-office purposes, it acts as a sole data controller and not as a data processor.
For all core services, we use vendors that provide proven geo-redundant services within the United States and are ISO27001 and SOC2 certified. We use continuous backup solutions and conduct a business continuity test at least annually.
All sensitive information is stored in an encrypted form using AES-256-GCM algorithm. All information is transported through secure protocols only, such as SSH and TLS.
For network security purposes, we use web application firewalls to secure our services. Our hosting providers use state of the art firewall and intrusion detection and prevention systems.
All internal and external communications and data in transit are encrypted (TLS, VPN, SSH).
As part of our change management process, code changes are strictly reviewed and approved prior deployment on production. Our developers are trained about secure coding and follow industry best practices - for example those defined by the Open Web Application Security Project (OWASP). We use security tools and linters, such as RuboCop, Brakeman and GoSec to run automated security checks on pull requests of our production services.
We use third-party penetration testing teams to test the security of our services on an annual basis and/or after each major release. We have a running bug bounty program.
Bitrise maintains a vendor management program in which all vendors go through a risk-based review process, including financial, security, and legal assessments before being onboarded as vendors of Bitrise. Critical providers are reviewed on a yearly basis.
Bitrise has a security program based on industry-standard security frameworks, such as NIST, SOC2, and ISO27001. We have a dedicated security department and employ highly skilled security professionals to keep our organization and our customers' data safe.
As part of our hiring process, within applicable laws and regulations, Bitrise performs criminal background checks of employees.
All employees are required to sign a confidentiality agreement at start of employment.
All employees are required to read and accept company policies - including the Bitrise Employee Code of Conduct - upon hiring and on an annual basis.
All Bitrise employees are required to go through security awareness training at hire and at least on a yearly basis. Our training covers all aspects of security domains, like phishing, secure browsing, incident response or social engineering attacks.
In the event of a personal data breach, all affected users will be notified via the configured email address for their accounts. We aim to notify users of a breach as soon as possible, but no later than 72 hours.
Bitrise does not host any physical servers. Instead, we use cloud providers with highly secured data centers, all of which are certified by ISO27001 and SOC2 and are hosted in the United States.
Our headquarter and satellite offices are secured by a 24-hour office security team. All visitors to Bitrise offices are always required to log in, wear visitor identification, and to be escorted on site.
If you have any additional questions about the security features included in specific plans, we’re happy to help!