Trust and privacy

Build on a foundation you can trust

To earn your trust, we build security, audit, and compliance solutions with the customer in mind.

Trust and privacy - two people build a castle together

Data privacy and protection

Your data
is our highest priority

Data privacy

We’re GDPR compliant and adhere to the Privacy Shield Framework, certified January 26, 2017.

Read our Privacy Policy →

SaaS and on-premise solutions

Find a plan for your business that meets the unique needs of your engineers—and your information security professionals.

Compare plans for business →

Account security

Because GitHub encrypts all data in transit, all login information and credentials are always protected. GitHub stores a one-way hash of all user passwords using bcrypt. Your account login is protected from brute force attack with rate limiting.

Stay informed

Stay up to date on outages and availability statistics at our Status Page, Blog, and Transparency Report.

GitHub has SOC 1 and SOC 2 Type 2 audit reports, available now through your support team.

GitHub Enterprise Cloud is compliant with AICPA Service Organization (SOC) 1 Type 2 and SOC 2 Type 2—and with IAASB International Standards on Assurance Engagements, ISAE 2000, and ISAE 3402.

If you’re currently using GitHub Enterprise Cloud, you can request a copy of these audit reports through your Support team.

Learn more →

What’s the difference between a SOC 1 or 2 report and a SOC 3 report?

AICPA governs the use of SOC 1, 2 and 3 reports and has stipulated intended use and audiences for each type of report. Whereas SOC 1 and 2 reports are designed to meet the needs of users who need specific assurance about controls at a service organization related to internal controls over financial reporting (ICOFR - SOC 1) or security, availability, processing integrity, confidentiality and/or privacy (trust services criteria - SOC 2), SOC 3 reports are designed as general use reports and can be freely distributed to any interested user.

Auditing controls and certifications

Transparency
builds trust

External audits

GitHub offers the risk management information customers need to assess our commitments to security and compliance. We’ve shipped our SOC 1 and SOC 2 Type 2 audit reports—and as of 2018, GitHub Enterprise Cloud is authorized via the FedRAMP Tailored baseline of security controls.

Cloud security self-assessment

Learn how we support industry-leading control considerations with the Cloud Security Alliance CSA-CAIQ Assessment.

Download our self assessment from CSA →

PCI compliance

We partner with PCI-compliant credit card processors to keep your payment information secure. Our payment processing is compliant with PCI DSS c3.2.

External security testing

We’ve engaged independent security firms for in-depth application security assessment, source code audit, and penetration testing since 2011. Ask your customer service team for more information on third-party application security testing.

GitHub Enterprise SOC 3 report available to the public

In an effort to continue serving the open source community and the general public, we are pleased to be able to make GitHub’s Service Organization Controls (SOC) 3 report for Enterprise Cloud available to the general public.

Learn more about Service Organization Controls reporting at GitHub →

Third-party security

Security-first
partners and vendors

Third-party partners

We assess third-party partners and vendors for fit and security risk based on the services they provide. We also make sure the right technical and contractual commitments are in place.

Production data centers

We use N+1, Tier 3 data center vendors with your availability and security in mind—and with physical security and environmental controls that meet our high standards.