This document was last updated on February 14, 2019.
We at DeepSource follow a comprehensive set of practices and policies to make sure our systems are secure by design.
If you have found a vulnerability in any of DeepSource’s services, please contact us via email at email@example.com. If you are reporting sensitive information, please encrypt your message with our public key fingerprint –
59D7 A32F 9325 5216 9B6D 8D0D 9133 5E93 CAA0 8738
We use oAuth tokens as our authentication mechanism to access source code from the supported source code hosting providers. When you start using DeepSource, you have to explicitly grant permissions in the respective source code hosting provider that you are authorizing us to check out your public and private repositories. To analyze the source code, we check out your code from supported source code hosting providers. DeepSource does not store your source code. As soon as the analysis transaction is complete, the source code is purged within our infrastructure. Under no circumstances, DeepSource writes or modifies source code without your explicit permission. Source code from your repositories is accessed read-only for the sole purpose of executing the analysis runs.
All our repository and analysis is run in a secure sandbox. Each sandbox is restricted to access data only within its scope, and it is not possible to access a sandbox from another sandbox, or from the Internet. Each analysis run starts in a fresh sandbox, and each sandbox is destroyed after each run, preventing leaking any customer-specific information or source code from inside the runtime to other sandboxes.
DeepSource’s infrastructure runs on data centers provided by Google Cloud Platform which follows stringent security practices. No DeepSource employees can access private repositories unless required for support reasons (approval will be requested to the customer in writing). We follow a variety of safeguards to isolate and encrypt customer data. We employ layers of access control with mandatory 2FA authentication and hardened VPN setup to prevent unauthorized access to our underlying infrastructure.
DeepSource does not store or receive any kind of credit card data other than a reference token that allows us to create payments with our payments provider Stripe, a PCI Level 1 certified payments provider. Please refer to Stripe’s security policy for more details: https://stripe.com/help/security.
All data we process and store are backed up frequently to multiple regions spanned across the earth. Two identical copies are always ready and waiting for an immediate hot-swap in case of any failure of our underlying services.
All data exchanged with DeepSource is transmitted over TLS. All repository operations of private data is done over HTTPS authenticated with short lived authentication tokens.
If you need your account canceled and/or your data deleted, please contact us at firstname.lastname@example.org
DeepSource data is hosted on Google Cloud Platform, in compliance with the Privacy Rule of HIPAA. DeepSource follows strictly defined IAM policies, reviews audit logs periodically and encrypt data at rest – in compliance with HIPAA’s Security Rule.
DeepSource’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.
DeepSource does not receive/store credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS).
If there are any questions regarding our security and compliance policies, contact us at email@example.com.