At Bitrise, one of our main concerns is protecting our users’ sensitive data and intellectual property. Protecting customer data is one of our most critical functions. Here are some of the main security measures we have in place to make sure we build and maintain the confidentiality, integrity and availability of our Customers’ data and information on our product and infrastructure:
1. We’re complying with global industry security standards
As a “Service Organization”, Bitrise undergoes annual, comprehensive auditing for SOC2 Type II certification to demonstrate our ongoing compliance with all relevant standards, laws, and regulations and to assure that we manage our users’ data in a way that protects their interests.
“SOC2 is an important third-party attestation that we comply with industry standards, but it’s just one part of the picture. Providing business assurance to all stakeholders that we look after the confidentiality, integrity, and availability of their data is a top priority for us.” — Mark Child, VP of Information Systems
When it comes to data processing, we handle the personal data of all individual data subjects in compliance with GDPR regulations (General Data Protection Regulation — a regulation in EU law on data protection and privacy in the European Union and the European Economic Area), only for specified and legitimate purposes, fairly, and in a transparent manner. We also ensure the appropriate security of the personal data of our users, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.
Similarly to SaaS providers in general, Bitrise is considered to be a sole data controller under the GDPR, as opposed to a data processor. This means that we process personal data solely for customer support, billing, and other back-office purposes.
2. We make sure your build logs, source code, and passwords are secured in a virtual environment
“To protect the builds of our customers, we use virtual machines. Every build runs on its own, separated, clean virtual machine, which is securely destroyed after the build finishes, erasing every file the build used.”
We don't store your source code — it is only accessed on the virtual machines if your Bitrise workflow configuration allows it. If you don't have a Git Clone step in your configuration, the source code cannot be accessed at all. The source code is always delivered to the VMs through secure channels, such as SSH and TLS.
Bitrise features several secure authentication methods, such as SAML SSO, GitHub, GitLab, Bitbucket SSO, two-factor authentication, and complex password requirements. We maintain a strict access-control process requiring all employees to submit access requests and go through a documented review and approval procedure. We enforce password complexity according to industry best practices (NIST) and credentials are salted and encrypted using the secure bcrypt algorithm.
3. All sensitive data of our customers is encrypted and our services are secured by firewalls
All sensitive information of our customers is stored in encrypted form using the AES-256-GCM algorithm. All information is transported through secure protocols only, via SSH and TLS and all internal and external communications are encrypted. Moreover, for network security purposes, we use web application firewalls to secure our services. Our hosting providers use state-of-the-art firewall and intrusion detection and prevention systems.
For our core services, we use vendors that provide proven geo-redundant services within the United States. These vendors all have internationally-recognized certifications, such as ISO27001 or SOC2. We use continuous backup solutions and conduct a business continuity test at least annually.
4. We’re trained about secure coding and continuously run code security checks
”The majority of security violations involve some form of human vector. Therefore, maintaining and improving the security awareness at the organization level is vital. To minimize the risk of a data breach, we have regular security trainings in place and we make them compulsory for every single employee.”
As part of our change management process, only reviewed and approved code changes can be deployed to production. Our developers are trained about secure coding and follow industry best practices, for example, those defined by the Open Web Application Security Project (OWASP).
We use reputable third-party penetration testing teams to test the security of our services on a regular basis, as well as security tools and linters, such as RuboCop and Brakeman to run automated security checks on pull requests of our production services. We run regular vulnerability scans against our production services using Netsparker and Sqreen.
As it is common throughout our industry, to strengthen our defenses, we also offer a Bug Bounty Program to (ethical) hackers that may find and inform us of potential risks to our security stance. This covers any exploitable vulnerability that could compromise the integrity of our customers’ data, might cause application failure or disclose any sensitive information.
5. Our headquarters and data center locations are all highly secured
“Bitrise does not host any physical servers. Instead, we use first-tier cloud providers with highly secured data centers, all of which are certified by ISO27001 and/or SOC2 and are hosted in the United States.”
Our Budapest headquarters are secured by a 24-hour office security team. All visitors are required to log in, wear visitor identification, and to be escorted on site. All staff are — upon joining Bitrise and regularly during employment — reminded of the need for vigilance against cyber threats through training and anti-phishing campaigns.
We hope you found this article helpful. If you have a security concern about Bitrise or any security-related questions, feel free to get in touch with our team!
For more information, visit our Security page.