Data security & privacy are in our DNA

We take security and privacy seriously here at Bearer. Our values reflect on our product, on who we work with, and on how we operate. That is by design, to protect your organization, and we are proud of it.

Controlled access

Bearer never clones repositories nor store source code ever. Bearer processes metadata only.

Encrypted data

Bearer does not store user authentication data. All data is encrypted when in transit and at rest.

Cloud-based

Bearer infrastructure runs on Amazon Web Services. We run inside a private network, with strict access.

Holistic security

All auth, data access, & infra providers are secure. All providers are SOC, ISO or PCI compliant.

Engineered to keep your data safe

Bearer architecture

Control data requests

Bearer integrates with your Source Code Management (SCM) systems (GitHub, GitLab) to scan your source code. We use static code analysis to detect engineering components (applications, external APIs, databases) processing data and trigger risk assessment workflows.

In order to keep your sensitive data inside your private network and limit the files Bearer can access, and the actions that Bearer can perform, we use a broker. The Bearer Broker is an open-source tool that acts as a proxy between Bearer and your SCM systems. 

It has a client (a Docker image deployed on your infrastructure) and a server component running on Bearer SaaS backend. The Broker client maintains an approved data list for inbound and outbound data requests. 

Only requests included in this approved list are allowed. By default, only metadata is sent to our infrastructure for processing and storing. You always have complete control over which data you are sending to Bearer.
Architecture of the Bearer Broker.

Security & Privacy, by Design

CONTROL

Your data, your choice

Controlled access to data
  • You choose what repositories you want to scan. 
  • Our broker only has permission to access your repositories / projects and pull / merge requests.
  • You have complete control over the data you send to Bearer.
  • We only use metadata. You always keep your sensitive data inside your private network.
  • We do not use your source code, nor clone or store code repositories.
Opt-out and data removal
  • You can opt repositories or projects out at any point.
  • Bearer purges or archives data according to customer requests or legal and regulatory mandates.
  • Your data are only kept for the period of your subscription. They are completely removed from our server as soon as you cancel your subscription.
SECURITY

Secure at every step

Secure access
  • Users authenticate via WorkOS (SOC 2) using SAML.
  • We do not store user authentication data.
Encryption in transit and at rest
  • All data in transit is encrypted using TLS.
  • All data stored is encrypted using AES-256.
Solid infrastructure
  • Bearer runs on Amazon Web Services (ISO 27001, IS 27017, ISO 27018 SOC 1/2/3, PCI).
Network-level security monitoring and protection
  • We monitor and protect our network, to make sure no unauthorized access is performed using a virtual private cloud (VPC), a bastion host and no public IP addresses.
Vulnerabilities
  • Monitored internally by the team and automation (Dependabot, Sqreen and more) and externally via independent penetration testing and according to our Vulnerability Disclosure Policy.
Secure development
  • We develop following security best practices (OWASP Top 10).
Privacy

Designed for your privacy

Your privacy at a glance
RELIABILITY

Build with care

Safe changes
  • Prior to reaching production, changes are made in code branches and go through code review, testing, CI/CD and QA steps, involving multiple people and separate environments with no customer data.
Traceability
  • We version-control our source code and infrastructure via Github and have logs of the versions and individuals involved. All changes need to be approved first.
  • We collect and store logs to provide an audit trail of our application activity.
Reliability
  • Application performance is tracked via Datadog (ISO 27001, ISO 27017, ISO 27018, SOC 2).
  • Incidents are communicated, logged and tracked down to resolution via a priority workflow; rollback procedures are available. 
TRUST

Trustworthy people & partners

Leadership
  • The executives of Bearer are directly involved in security & privacy to ensure we stand by our values in practice.
Team
  • Employees are screened for our values and sign a Non-Disclosure and Confidentiality clause.
  • Strict internal procedures prevent any employee or administrator from gaining access to user data.
Permissions
  • Strict policies provide access on a least permissions, per-role basis. They are reviewed and revoked on a regular schedule and per event.
Secure access
  • Secure workstations and best practices are provided to the team. Identity and authentication are ensured via 2-Step Verification enabled G-Suite SSO.
Trusted third-party providers
  • Amazon Web Services (ISO 27001, ISO 27017, ISO 27018 SOC 1 / 2 / 3)
  • Datadog (ISO 27001, ISO 27017, ISO 27018, SOC 2)
  • GitHub (SOC 1 / 2)
  • Outreach (ISO 27001, SOC 2)
  • Salesforce (ISO 27001, ISO 27017, ISO 27018,  SOC 1 / 2 / 3)
  • Sentry (ISO 27001, SOC 2)
  • Twilio (ISO 27001, ISO 27017, ISO 27018, SOC 2)
  • Webflow (SOC 2)
  • WorkOS (SOC 2)
  • Zapier (SOC 2)
  • Zendesk (ISO 27001, ISO 27018)
Trusted payment processor
  • Stripe (PCI certified, TLS encrypted).
  • No payment information is ever stored by Bearer.
Assessed vendors
  • All vendors and providers are individually filtered based on their reputation, security, data permissions and risk added or mitigated.

Ready to start your
Privacy by Design
journey?

Learn best practices with a privacy specialist.