As always when security is concerned, we cannot guarantee 100% security, but we do our best to make sure
our platform is as secure as is possible. To that end, we would like to share some of the security measures
and practices that are in place.
Report a Security Issue
If you need to report a security issue, please email [email protected].
In the email, please include details about the issue such as a proof of concept and potentially proposed mitigation steps.
Data Center Security
- All of our servers are hosted in ISO 27001 certified data centers.
- Data centers are video-monitored with a high-security perimeter surrounding the entire data center park.
- Entry is only possible via electronic access control terminals with a transponder key or admission card.
- All movements are recorded and documented. Ultra-modern surveillance cameras provide 24/7 monitoring of all
access routes, entrances, security door interlocking systems and server rooms.
Network Communications
- All connections between Scrutinizer and you are forced over TLS encrypted connections.
- Clients are instructed via appropriate HTTP strict transport security (HSTS) headers to only establish encrypted connections.
- All pushing and pulling of source code is done either over HTTPS or SSH connections.
System Security
- All servers run on Linux with the latest available security updates.
- Automated update procedures are in place to quickly react to any newly released security updates.
- Distributed Denial of Service (DDoS) mitigation services are in place powered by industry-leading solutions.
Software Security
- Our source code is continuously reviewed using Scrutinizer.
- Additionally, all source code changes go through a manual review process before being merged.
Employee Access
We generally never look at your source code unless needed to solve a support issue you file. Typical issues
that often require looking at source code are most issues that are related to source code analysis such as reporting
false-positives. A Scrutinizer team member may need to download your source code and install its dependencies to
reproduce and fix a reported false-positive. When working on such a support issue, we try to respect your
privacy as much as possible, and all source code is deleted as soon as your support issue is resolved.
All data on employees' systems is fully encrypted including the operating system. As such, all data is unreadable
to anyone but those with proper decryption keys should a device be lost or stolen.
Payment Data Security
- All payment data like credit card data is directly stored by PCI-compliant payment providers.
- No payment data reaches or is stored on our servers.
If you have any questions, concerns or feedback about our platform security, please do not hesitate to
contact our support.