As developers,  we understand the security of your company's source code is extremely important. This page describes select measures we employ to ensure your code is safe. If you have any questions, please don't hesitate to contact us.

Platform Security

Physical Security

datree's physical infrastructure is hosted and managed within Amazon's data centers and utilizes the Amazon Web Service (AWS) technology. Amazon's data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FedRAMP
  • Sarbanes-Oxley (SOX)

For more info, please see:

Data Encryption in Motion

We use SSL/TLS encryption on our web assets to ensure the highest security and data protection standards. We regularly verify our security certificates and encryption algorithms to keep your data safe.

Data Encryption at Rest

All at-rest sensitive user data is encrypted. We use the industry standard AES-256 encryption algorithm to encrypt your data on our database. Learn more about Encrypting Amazon RDS Resources and Server-Side Encryption with Amazon S3-Managed Encryption Keys.

Vulnerability and Patch Management

Our application infrastructure is based on AWS managed services. AWS is responsible for patching systems supporting the delivery of our services. Learn more about AWS shared responsibility model.

Protected and Tested Backups

Protected and tested backups of our database with 14-day retention. All backups are encrypted. Learn more about Amazon RDS automatic backups.

Network Security

Firewalls are utilized to restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business requirement. Each system is assigned to a firewall security group based on the system's function. Security groups restrict access to only the ports and protocols required for a system's specific function.

Application Security


Learn more about authorization options for OAuth Apps. To review GitHub’s security best practices, please see,

Auth0: authentication and authorization as a service

To review Auth0’s security best practices, please see,

Application Secrets Protection

Secrets are stored in a secure encrypted store “at rest” and are accessed with an encrypted connection “in motion”. Encryption keys are rotated. Keys are not stored in the code. Learn more about AWS Systems Manager Parameter Store and AWS KMS.

API Structure

Our platform is built with several micro-services which are accessible through a centralised API Gateway from the outside world using authentication and authorization mechanisms.

Security Management

System and Application Log Collection

All system access and customer access logged and tracked for auditing purposes.


We believe that by making our security statement transparent and our status page updated, interested parties will feel more confident about datree’s practices and processes.

Incident Response

We have a 24/7 on-call personnel responsible for incident response.

How does datree access my GitHub account?

When you sign up for datree, we collect an OAuth token from GitHub, which allows us to request data from the GitHub API on your behalf based on the permissions you have granted. This OAuth token is stored securely in our database and is protected from unauthorized access.

We use this token in the following situations, and under no other circumstances than described below:

  • To synchronize the repositories you have access to. We use this information to show you the available repositories on your repositories page so you can enable or disable scanning them on the datree platform.
  • To configure service hooks on a repository you configure to run on datree
  • To access the project code component configuration files(such as package.json, travis.yml, etc.) from your GitHub repository.
  • To access the projects git metadata such as user commits and any other git operation.

Under no circumstances does datree write or modify source code or Git metadata in your GitHub repositories, source code from your repositories is accessed read-only for the sole purpose of automatically executing the scans or managing the service hooks on GitHub.

We only manually access your code when explicitly requested by you and only with explicit consent by you, and only to debug and help solve catalog issues.

How does datree access my source code?

Other than reading your code component configuration files to populate the catalog with data about code components, people and projects, the only time we access your repository directly is when checking out the source code on one of our scan machines.

Source code is only accessed via HTTPS, using a GitHub token for authentication.

What data do we store from GitHub?

When we finish scanning the repository, we save the repository metadata, code components usage data and organization data. In any case, we don't save a copy of your codebase.

Privacy Policy

Learn more about datree’s privacy policy.

Report Issues

If you find a bug or security issue on our website, please let us know about it by sending an immediate email to (and we will send you a fashionable t-shirt to say thanks!).

If you'd like more detail about our security processes, email