Security

Physical Security

Systems are hosted by Digital Ocean. Their data warehouses are staffed 24/7/365 with on-site physical security to protect against unauthorized entry. For more information see https://www.digitalocean.com/security.

File Systems and Communication

All access to the GigaDiff website is restricted to HTTPS encrypted connections. Private source code is transmitted over SSH connections authenticated with SSH keys and not passwords. Each GigaDiff user is assigned a unique SSH key which is added to your Git server as a "deploy key". As a static analysis tool, GigaDiff never executes source code provided by its users.

Like GitHub.com, we do not encrypt repositories on disk because it would not increase security. The GigaDiff website and workers would need to decrypt the source code on demand, slowing down updates and page response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our machines and network as secure as possible.

Repository data is stored on GigaDiff's production servers until deleted by the user. This can be done at anytime by deleting an individual repository or by deleting the account that owns a repository. We do not retroactively delete data from our backups, as we may need to restore data if it was removed accidentally.

Employee Access

No GigaDiff staff will access private source code unless required for support reasons. In cases where staff must access source code in order to perform support, we will get your explicit consent each time, except when responding to a critical security issue or suspected abuse.

When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum files and settings needed to resolve your issue.

Finally, it's worth noting that GigaDiff's staff is quite small, limiting the number of individuals who would provide you support.

Credit Card Safety

When you purchase a paid GigaDiff subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe's security information is available online.

Reporting a Security Concern

Your input and feedback on our security as well as responsible disclosure is always appreciated. If you've discovered a security concern, please email us at security@gigadiff.com. We'll work with you to make sure we understand the issue and address it. We consider security correspondence and vulnerabilities our highest priorities and will work to address any issues that arise ASAP.

Please act in good faith towards our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against you if act accordingly.