Building better apps, safely

Some of the world's most security-conscious teams rely on Bitrise to build safely. Read more about our security measures below or reach out to discuss your specific questions.

CI/CD built for Mobile DevOps: Connect, configure, and build in minutes

Certificates / Compliance

GDPR

We process your personal data in compliance with GDPR regulations, only for specified and legitimate purposes, fairly, and in a transparent manner. Bitrise ensures the appropriate security of the personal data of its users, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

You can read more about our privacy policy here: https://www.bitrise.io/privacy

SOC2

We are currently undergoing a comprehensive SOC2 type II auditing procedure in order to demonstrate our compliance with all relevant laws and regulations and to assure that we manage our users’ data in a way that protects their interests and their privacy. Bitrise is expected to be certified by the end of Q2, 2021.

Product Security

All of our core service providing third parties are ISO27001 and SOC2 certified.

Destroying virtual machines

To provide for the security of your builds, we use virtual machines. Every build runs on its own, clean virtual machine and we discard the machine after the build finishes, erasing every file your build used and every change you made during your build.

Source code security

We don't store your source code. The source code is only accessed on the virtual machines if your Bitrise workflow configurations allow it. If you don't have a Git Clone step in your configuration, the source code cannot be accessed at all. Source code is delivered to the VMs through secure channels only, such as SSH and TLS.

Access control

Bitrise features several secure authentication methods, such as SAML SSO, GitHub, GitLab, Bitbucket SSO, two-factor authentication, and complex password requirements. We maintain a strict access-control process requiring all employees to submit access requests and go through a documented review and approval procedure. Access is granted on a need-to-know basis.

Data Security

DPA

Similarly to SaaS providers in general, Bitrise is considered to be a sole data controller under the GDPR, as opposed to a data processor. It is generally accepted by both the European Data Protection Board and the Information Commissioner’s Office pursuant to the available guidelines that when a cloud service provider, such as Bitrise, processes personal data solely for the customer support, billing, and other back-office purposes, it acts as a sole data controller and not as a data processor.

Secret security

The files you upload in the Code Signing & Files section of the Workflow Editor are stored on Amazon S3 in a way that it is only accessible for the web servers. The required credentials are not stored in any database and are only available in the web servers' environment. Build servers cannot access the files directly either. When a build starts, the web server generates a read-only, time-limited access URL for these files, using Amazon S3 pre-signed URLs. Customer secrets are stored in an encrypted database. Passwords are hashed using bcrypt secure hashing algorithm.

Backups & Geo-redundancy

For our core services, we use vendors that provide proven geo-redundant services within the United States. These vendors are all ISO27001 and SOC2 certified. We use a continuous backup solution for backups.

Data encryption

All sensitive information is stored in an encrypted database using AES-256-gcm algorithm. All information is transported through secure protocols only, such as SSH and TLS.

Network Security

Firewall

For network security purposes, we use a web application firewall to secure our services. Our hosting providers use state of the art firewall and intrusion detection and prevention systems.

Encrypted communication

All internal and external communications are encrypted using SSO, TLS, and VPN.

Application Security

Secure coding

Our developers are trained about secure coding and write their code in accordance with security principles and practices defined in the National Institute of Standards and Technology (NIST) and Open Web Application Security Project (OWASP).

Penetration testing

We use a reputable third-party penetration testing team to test the security of our services on an annual basis and/or after each major release.

Automated code security checks

We use tools and linters, such as RuboCop, Brakeman, Snyk, GoSec, and Netsparker to run automated security checks on each pull request and build. We also run automated dynamic security tests on our platform.

Business Security

Vendor management

Bitrise maintains a vendor management program. All vendors go through a review process, including financial, security, and legal reviews before being onboarded as vendors of Bitrise. Our vendors are reviewed on a yearly basis.

Security program

Bitrise has a security program that is based on industry-standard security frameworks, such as NIST, SOC2, and ISO27001. We have a dedicated security department and employ security professionals to keep our organization and customer data safe.

Background checks

Bitrise requires all of its employees to go through a criminal background check adhering to applicable laws and regulations.

Employee NDA

All employees are required to sign a confidentiality agreement prior to hiring.

Security awareness training

All Bitrise employees are required to go through security awareness training at hire and at least on a yearly basis. Our training covers all aspects of security domains.

Breach notification policy

In the event of a personal data breach, all affected users will be notified via the configured email address for their accounts. We aim to notify users of a breach as soon as possible, but no later than 72 hours.

Physical Security

Data center security

We do not maintain our own servers. Instead, we use cloud providers and data centers, all of which are certified by ISO27001 and SOC2 and are hosted in the United States.

24-hour office surveillance

Our headquarter and satellite offices are secured by a 24-hour office security team.

Visitor login

All of the Bitrise offices require visitors to log in, wear visitor identification, and to be escorted on site.

Downloadables

Talk to our experts

If you have any additional questions about the security features included in specific plans, we’re happy to help!

Contact Us

Would you like to report something?