SOC 2 compliance
This is to assure that from November 1, 2020, Buddy is SOC 2 Type 1 certified. SOC 2 compliance demonstrates that Buddy securely manages your data to protect the interests of your organization and the privacy of its clients according to five trust service principles: security, availability, processing integrity, confidentiality and privacy. You can request your copy of our SOC 2 report here.
The General Data Protection Regulation 2016/679 is a regulation in EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Since May 25, 2018, when the regulation entered into force, Buddy is fully compliant with GDPR, with a designated security officer constantly monitoring our compliance.
Buddy is hosted in secure-by-design Amazon Web Services facilities that continually manage risk and undergo recurring assessments to ensure compliance with industry standards. This includes independent policies for physical access, monitoring & logging, surveillance & detection, device management, operational support systems, infrastructure maintenance, and governance & risk. For more information on the AWS physical security processes, click here.
Buddy’s system installation is using a hardened, patched OS with dedicated firewall and VPN services that help block unauthorized access. We also employ industry-leading solutions to mitigate DDoS attacks. Our servers are under constant surveillance by SecurityMetrics with security audits performed every quarter in accordance to AWS Security Audit Guidelines.
All private data to and from Buddy is transmitted over SSL. All communication with the repository is done over SSH authenticated with keys, or via HTTPS using your Buddy username and password. All registered users are virtual and have no user account on our machines. The SSH credentials used to push and pull cannot be used to access a shell or the filesystem.
If you decide to upgrade your account, we’ll ask you for the details of your credit card or PayPal account. We do not store this information on our servers: we are using Braintree, an external provider owned by PayPal used by companies like Uber, GitHub and Airbnb. All servers are PCI Compliant and monitored by SecurityMetrics in regards to security.
Passwords and Credentials
Passwords in Buddy are salted and hashed by one-direction encryption scripts. We do not store user passwords. Passwords and access keys used in delivery actions (FTP details, SSH, Amazon Access Keys, etc.) are salted and encrypted with two-direction encryption scripts and kept in this form in the database.
Buddy employee policy
Our employees never access private repositories unless required for support reasons and approved with your consent. We can view your code as a compressed Git database, but never as plaintext files like in a local clone. On rare occasions, at your explicit request, we may need to pull a clone of your code; however, this will only be done upon your approval. All cloned repositories are deleted as soon as the support issue has been resolved.
The employee policy applies to all type of private data stored in Buddy, such as server authentication details, authentication data with third-party integrations, or personal user information. All data is stored in encrypted form and can only be accessed by our team for security or maintenance, or for support reasons, on your explicit permission.
All Buddy personnel is trained towards security compliance and subject to privacy agreements. New employees follow a structured onboarding process to get familiar with tools, processes, systems, policies, and procedures. Compliance audits are performed so that employees understand and follow the established policies.
Backup and Maintenance
System maintenance is scheduled for every Tuesday at 06.00AM GMT and takes up to 5 minutes unless stated otherwise on our Twitter channel. In case of large updates you will be notified in advance via email.
All data is backed up in real-time to AWS infrastructure in diversified AWS regions. Buddy employees have no access to stored data unless given explicit permission to solve a support request. Backup data is permanently removed after 3 weeks since the workspace cancellation.
Service Level Agreement
We guarantee that your Buddy repository will be available through your assigned subdomain 100% of the time in a given month, excluding scheduled weekly maintenance. We also guarantee that you will be able to access and commit to your repository 100% of the time in the month. If an outage occurs, we will issue a credit to your next bill for 5% of your monthly fee for every 30-minute period of downtime - up to 100% of your fee for the month.
Buddy Enterprise is the on-premises version of Buddy. It operates on your infrastructure, which means it is governed by your existing information security controls: from firewalls and VPNs, to identity and access management and monitoring systems. You can read about Buddy Enterprise security here.
In case you’ve found a security vulnerability, please see our Responsible Disclosure Policy.
If you have any questions regarding the safety and security of our Service, drop a word to firstname.lastname@example.org and we’ll get back in a snap.