PullRequest Data Security Policy

Updated July 12th, 2017.

Nothing in this policy invalidates, modifies, overrides or negates our Terms of Service or Privacy Policy or any other agreement between PullRequest and other parties.

I understand how important security is to you and your organization. On this page, we have highlighted some of the security measures we use to protect your organization. We're always looking for ways to improve. Have a suggestion? Don't hestitate to reach out to me directly.
- Lyal Avery, founder of PullRequest

Reporting Security Concerns to PullRequest

If you have found a vulnerability within our codebase, please contact us at security@pullrequest.com or by calling 1-833-PULLREQ.

If you discover a vulnerability, we ask that you respect our customer's data and act accordingly:

  • Please notify us right away.
  • Test against fake users/accounts. If you would like a set of fake users/accounts to test against, email us at security@pullrequest.com and we will happily provide them to you.
  • Work with us to fix the vulnerability before you disclose it to others.

Overview of Our Security

PullRequest offers both a hosted platform solution (SaaS) and an on-premise solution to be installed behind a corporate firewall. These installation types have different security concerns and issues, particularly with regards to access from our personnel. However, in both cases, we consider security as our primary concern.

Physical Security

  • Systems are hosted in ISO 27001 and FISMA certified data centers managed by Amazon Web Services (AWS) and similarly phsyically secured servers by DigitalOcean.
  • Physical access (through ingress and building access controls) is limited.
  • Security personnel utilize video surveillance and intrusion detection systems to monitor security at all times.
  • Staff uses two-factor authentication at least two times to access physical server areas.
  • Physical security verified by 3rd-party auditors.

For more information about Amazon's security measures, see https://aws.amazon.com/security/.

File Systems and Communications

All access to the application and review servers utilize HTTPS encrypted connections. Source code is transmitted over SSH connections secured with SSH keys and not passwords. SSH keys are added to repositories via APIs or manually during the setup process.

Passwords are stored using the bcrypt standard. They are never stored in plaintext. Password security is extremely important and is the end-user's responsibility. We highly recommend enabling two-factor authentication for our customers. Two-factor authentication is a requirement for our reviewers at all times.

We do not collect passwords for other services, such as GitHub or Bitbucket. We only integrate with services that utilize OAUth or API tokens.

Like GitHub and other services that deal with repository storage, we do not encrypt repositories on the file system. Doing so would result in unacceptably slow responses times, and would not offer additional security, as any agent that penetrated our network security and got file system access would have access to the encrypting/unencrypting system. As such, we have chosen to focus on network and machine level security instead.

Repository data is stored on our server until the account is deleted by a user or during routine cleaning of dormant accounts. You can delete your account or repositories at any time within our file system. While we don't delete data within our backup system as a regular course of business, we do not backup repository data (as it can be recreated from source control at any time).

Employee Source and Contractor Code Access

No PullRequest staff will access your repositories or their contents without expressed permission, except where required for support, suspected abuse, or critical stoppages. If required for support, we will get permission before providing access.

Reviewers will have access to the code you are having reviewed, and depending on your security settings level, related code to the items of change. All reviewers have signed NDA and proprietary innovation agreements. Per their contract, they only work within the PullRequest environment and they do not make copies of the code they review.

pullrequest.yaml is a file to be placed in the root of your repository. It allows you to anonymize lines or prevent whole files from being reviewed. If you are storing certificates or passwords within your repository (we recommend you don't!) you can prevent them from being distributed here.

Credits Card and Payments

We're using Braintree and Stripe as our payment providers. Both are PCI Level 1 compliant (the strictest of standards). We do not store credit card or PII data within our database.

For more info, visit Stripe's security page and Braintree's security page.

Feedback

Please reach out if you have questions or concerns. We're passionate about what we do! hello@pullrequest.com