Source Code Protection
PullApprove does not have write-access to your code. When relevant, source code is read via HTTP APIs and never persisted in long-term storage.
Webhooks are used to update PullApprove and trigger processing of pull requests. Data is fetched via the official APIs and stored ephemerally in a cache to preserve rate limits.
Some basic metadata data is stored in a longer-term database for displaying in the PullApprove UI and associating users with organizations and their respective permissions.
Hosting & Reliability
PullApprove is built on well-known cloud services provided by Heroku, located in the US. We strive to build scalable solutions by leveraging reliable and trusted services.
Monitoring & Backups
PullApprove is constantly monitored for errors and availability so that any issues can be fixed as soon as possible. Automated backups are made of databases that contain persisted and critical customer data.
Vulnerability Scanning & Patches
PullApprove uses GitHub Security Alerts to scan for vulnerabilities. We regularly review and apply patches to our systems using automated and manual methods.
In the event that PullApprove or one of its providers is compromised, and your data is put at risk, we will notify you within 72 hours.
Employee Access to Customer Data
Customer data is only accessed when responding to support requests (with your permission) or when investigating bugs or issues with the product.
The only people with access to customer data are the ones who require it to do their job.
Permissions and Authentication
We use two-factor authentication (2FA) where possible for employee access to services related to PullApprove. Access to PullApprove, and the cloud services used to run it, is only given to people who need it.
PullApprove uses Stripe for payment processing, which is certified to PCI Service Provider Level 1. You can find more information about Stripe's policies on their website.
We try to use a minimal number of services to support PullApprove. In some cases these will directly store info like email address, as they facilitate support messaging.
- Sentry (error reporting)
- Intercom (support)
- Google Analytics 4 (basic analytics)
- Datadog (monitoring and logging)
- Postmark (transactional email)
Are you SOC 2 or ISO 27001 certified?
At our current size (small!), it doesn't make sense to pursue this. It is something we constantly re-evaluate and will do when the time is right.
If you have discovered a security concern, please email us at [email protected]. We appreciate your responsible disclosure of any issues you find.
If you have any questions about our security policy or practices, please email us at [email protected].