Security

This page is specifically written for the hosted version of PullApprove v4.
For questions regarding the self-hosted version of PullApprove, or PullApprove v3, contact us.

In an effort to speed along security reviews,
we use the Minimum Viable Secure Product (MVSP) checklist.
PullApprove v4 MVSP Checklist

Source Code Protection

PullApprove does not have write-access to your code. When relevant, source code is read via HTTP APIs and never persisted in long-term storage.

Data flow

Webhooks are used to update PullApprove and trigger processing of pull requests. Data is fetched via the official APIs and stored ephemerally in a cache to preserve rate limits.

Some basic metadata data is stored in a longer-term database for displaying in the PullApprove UI and associating users with organizations and their respective permissions.

Data flow diagram

Hosting & Reliability

PullApprove is built on well-known cloud services provided by Heroku, located in the US. We strive to build scalable solutions by leveraging reliable and trusted services.

Monitoring & Backups

PullApprove is constantly monitored for errors and availability so that any issues can be fixed as soon as possible. Automated backups are made of databases that contain persisted and critical customer data.

Vulnerability Scanning & Patches

PullApprove uses GitHub Security Alerts to scan for vulnerabilities. We regularly review and apply patches to our systems using automated and manual methods.

Incident Response

In the event that PullApprove or one of its providers is compromised, and your data is put at risk, we will notify you within 72 hours.

Employee Access to Customer Data

Customer data is only accessed when responding to support requests (with your permission) or when investigating bugs or issues with the product.

The only people with access to customer data are the ones who require it to do their job.

Permissions and Authentication

We use two-factor authentication (2FA) where possible for employee access to services related to PullApprove. Access to PullApprove, and the cloud services used to run it, is only given to people who need it.

PCI Compilance

PullApprove uses Stripe for payment processing, which is certified to PCI Service Provider Level 1. You can find more information about Stripe's policies on their website.

Subprocessors

We try to use a minimal number of services to support PullApprove. In some cases these will directly store info like email address, as they facilitate support messaging.

Are you SOC 2 or ISO 27001 certified?

At our current size (small!), it doesn't make sense to pursue this. It is something we constantly re-evaluate and will do when the time is right.

Reporting Issues

If you have discovered a security concern, please email us at [email protected]. We appreciate your responsible disclosure of any issues you find.

Questions

If you have any questions about our security policy or practices, please email us at [email protected].