This document was last updated on August 14, 2020.
We at DeepSource follow a comprehensive set of practices and policies to make sure our systems are secure.
Data center security
DeepSource’s infrastructure runs on data centers provided by Google Cloud Platform which follows stringent security practices. Refer to Google Cloud Platform’s compliance and security documentation for detailed information. We follow a variety of safeguards to isolate and encrypt customer data. We employ various layers of access control with mandatory TOTP/U2F based authentications to all employees of DeepSource. Our software infrastructure is audited regularly and updated with the latest security patches.
Source code security
We use OAuth tokens as our authentication mechanism to access source code from the supported source code hosting providers. When you start using DeepSource, you have to explicitly grant permissions in the respective source code hosting provider that you are authorizing us to check out your public and private repositories. To analyze the source code, we check out your code from supported source code hosting providers.
DeepSource does not store your source code. As soon as the analysis transaction is complete, the source code is purged within our infrastructure and are not backed up.
Sandboxed analysis environments
All our repository and analysis is run in a secure sandbox. Each sandbox is restricted to access data only within its scope, and it is not possible to access a sandbox from another sandbox, or from the Internet. Each analysis run starts in a fresh sandbox, and each sandbox is destroyed after each run, preventing leaking any user-specific information or source code from inside the runtime to other sandboxes or a public network.
Credit card data handling
DeepSource does not receive or store any kind of credit card data. All our payments are processed by Stripe, a PCI Level 1 certified payments provider. Please refer to Stripe’s security policy for more details: https://stripe.com/help/security.
Data loss prevention
All data we process and store are backed up frequently to multiple regions. Two identical copies are always ready and waiting for an immediate hot-swap in case of any failure of our underlying services. DeepSource encryption uses 256-bit AES keys to protect backups at rest, and encrypts data in motion with 128-bit AES SSL/TLS encryption.
All data exchanged with DeepSource is transmitted over TLS. All repository operations of private data is done over HTTPS authenticated with short lived authentication tokens.
Canceling your account or deleting data
If you need your account canceled and/or your data deleted, please contact us at email@example.com
DeepSource data is hosted on Google Cloud Platform, in compliance with the Privacy Rule of HIPAA. DeepSource follows strictly defined IAM policies, reviews audit logs periodically and encrypt data at rest – in compliance with HIPAA’s Security Rule.
DeepSource’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.
DeepSource does not receive/store credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS).
Soc 2 Type 2 (In progress)
DeepSource is undergoing procedures for SOC 2 Type 2 compliance. SOC 2 ensures that we follow strict information security policies and procedures encompassing the security, availability, processing, integrity, and confidentiality of user data.
Data security is a top priority for DeepSource, and we believe that working with skilled security researchers can identify weaknesses in any technology. If you believe you’ve found a security vulnerability in DeepSource’s services, please notify us; we will work with you to resolve the issue promptly.
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at firstname.lastname@example.org. We will acknowledge your email within 1 business day. If you would like to encrypt sensitive information, here’s our PGP key.
-----BEGIN PGP PUBLIC KEY BLOCK----- mQENBF6f3h4BCADBnB37GPRp1K1H25b40LwrT2GVpFEDhoOfAHfh7oiQxezgfgHi HjwZUZqX/5wbebh65ogASrQAZEnYnd0YHSebh5EJUwWmza6b8nrXeBL0PkTBeVV3 u3OmfBnNHr4tZskJ3QYfxWWzzrpOTLXrMnfO3m3XCItAmURetUtyJ7TAOLoI9mLR ol8ubs/Oh1AxOJVMSQHB2yAwx3ZZfUUrBCilwcM0xLBKW8R69QYKYsl+rDbgFUW3 F8T8OzQ8HAKUoKZwffuGee300DMno3Zrl+0EEubo8niKhOB1n/2DQehdri/diqBS XlCP+UFrrButyT7aioI5L7pCiY3s55GfJYidABEBAAG0LERlZXBTb3VyY2Ugc2Vj dXJpdHkgPHNlY3VyaXR5QGRlZXBzb3VyY2UuaW8+iQFUBBMBCAA+FiEE0wBiyy7M wXXuWYtgHe1+o+NcMv0FAl6f3h4CGwMFCQPCZwAFCwkIBwIGFQoJCAsCBBYCAwEC HgECF4AACgkQHe1+o+NcMv0XMQf8C8W6qQqKB9NxM/6p4p01+EiUVDm5MXwEAEGX rXXFBtvEorXHt64DHSJl1cdPaf62+oAmkoFbNBRYW9eDUNdjocdlOiE/2DNnEb72 Z6c0BiGtJYJFpZnKv7U+Q8gdRmPqPWr27HmEnSvNuWMFXRJSnJ3KaC6YnHpS8wtg p70M8nNaiEguoeykNVmL+dYCYg970IgfX7PlYfXYKwU1RjoCIi9wtW2M3FlYpC3J EVZoyPr107VIL6BX/a2c3+xRP8GK5Fqvh9eMI6afmegpXMJUQmj+AlnRNShB0e4z Zp3GbEpd6ZuHapmcWjcApzyH17idK/38EkuZeXE0aRLLmMiL7bkBDQRen94eAQgA 3u19dgN4IBMqBwKV+VBQ5aP0mgIH+gFznQz0WAG9z5On43vnIOLAT356YUlJgkt7 N8LxjCfaZzW8Zab+aejiefvEF/VHHjzQ9n87CHBoGVWjXLINeK6cv8BF6zK1gHgE R8rA9ewrU9kg7KUciHx0mfWPxN7ZuWCwvIxwQDQNSeEc7IzNE1Fttz4JS+EpKse6 GawM2MzfAGNth198kfA/tJmRFXCebgC0dLwfhW9rWPln1R4gL7sdU0f1ilSywHCk zkZm7Wyi8z5tbK7JUaiu8CAFIwO3aqqzx6Cd27blEvkGYpYsvSl7wGauJjGpPx0S HcFD6BPjoY9GJaYv/FkdHwARAQABiQE8BBgBCAAmFiEE0wBiyy7MwXXuWYtgHe1+ o+NcMv0FAl6f3h4CGwwFCQPCZwAACgkQHe1+o+NcMv3Magf/fYMuQ1Gn0PYUquK5 pXlYgmbDcjjFEAXsKNznBfNlUOjZuwm8HD55plKbNJhDLxyIScvCWry9pp0IE699 u0hCdyAYO4PwyOJPa2uk4UgseoOHRgB1LTmE/3o+6Oorn9dhE60YUhKQjxNnHhJr ze+VAjPtKZ+LNYv/PPTT3Kj6X2ZueiNoYXkZ7anHwdNOiVo/sU50F85OKvxZ8W6u m9cgkmaMf3svrL6uizI4XAHwOzkyzLMlODh/hvu9GzLY/IMRz08dYBKDHNKlOE0T OLUBdQ4fJ8q5G4lQxP/ZUd6s4jxJcPttAEh+jtFiAgeywb4A/VJpiGAE3oQdoSaS QeeXEw== =suf2 -----END PGP PUBLIC KEY BLOCK-----
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within one week of disclosure. Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the DeepSource service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
While researching, we’d like you to refrain from:
- Distributed Denial of Service (DDoS).
- Social engineering or phishing of DeepSource employees or contractors.
- Any attacks against DeepSource’s physical property or data centers.
Thank you for helping to keep DeepSource and our users safe!
We may revise these guidelines from time to time. The most current version of the guidelines will be available at https://deepsource.io/security/.
DeepSource is always open to feedback, questions, and suggestions. If you would like to talk to us, please feel free to email us at email@example.com.