GitScrum logo
Try for free

Security

Effective date: January 5, 2026

This Security Policy constitutes a legally binding agreement between you ("Customer," "User") and GitScrum ("Company," "we," "us," "our"). By accessing or using GitScrum's services, you acknowledge that you have reviewed, understood, and agree to the security practices and commitments outlined herein.

1. Our Security Commitment

GitScrum is committed to maintaining the highest standards of information security to protect your data's confidentiality, integrity, and availability. Security is embedded throughout our development lifecycle, operational procedures, and organizational culture. We continuously evolve our security posture to address emerging threats and maintain compliance with applicable data protection regulations.

2. Data Encryption

2.1 Encryption in Transit

All data transmitted between your devices and GitScrum servers is encrypted using Transport Layer Security (TLS) 1.2 or higher protocols. This industry-standard encryption protects your information from interception and unauthorized access during transmission.

2.2 Encryption at Rest

All sensitive data stored within GitScrum infrastructure is encrypted at rest using AES-256 encryption algorithms. Encryption keys are managed through secure key management systems with strict access controls, regular rotation schedules, and secure backup procedures.

2.3 Key Management

We implement industry best practices for cryptographic key lifecycle management, including secure generation, storage in dedicated key management systems or Hardware Security Modules (HSMs), periodic rotation, and comprehensive audit logging of all key access events.

3. Infrastructure and Data Center Security

3.1 Global Infrastructure

GitScrum operates data centers across multiple geographic regions to ensure service availability, redundancy, and disaster recovery capabilities. Our infrastructure partners maintain certifications including ISO 27001, SOC 2, and other industry-recognized security standards.

3.2 Physical Security

Data centers housing GitScrum infrastructure employ comprehensive physical security controls including 24/7 surveillance, biometric access controls, environmental monitoring, and redundant power and cooling systems.

3.3 Network Security

We deploy multiple layers of network security including firewalls, intrusion detection and prevention systems (IDS/IPS), DDoS mitigation, and network segmentation to protect against unauthorized access and malicious activity.

4. Access Controls and Authentication

4.1 Authentication Mechanisms

GitScrum requires strong password policies and supports multi-factor authentication (MFA) for enhanced account protection. We strongly recommend enabling MFA for all user accounts, particularly those with administrative privileges.

4.2 Authorization and Least Privilege

Access to customer data and system resources follows the principle of least privilege. Role-based access controls (RBAC) ensure users can only access resources necessary for their legitimate business purposes.

4.3 Session Management

We implement secure session management practices including session timeouts, secure token handling, and immediate session termination upon logout or detected anomalies.

5. Application Security

5.1 Secure Development Lifecycle

Security is integrated throughout our software development lifecycle. Our engineering practices include:

  • Secure coding standards aligned with OWASP guidelines
  • Regular code reviews with security focus
  • Automated static and dynamic application security testing (SAST/DAST)
  • Dependency scanning and vulnerability management
  • Input validation and output encoding to prevent injection attacks

5.2 Vulnerability Management

We conduct regular vulnerability assessments and penetration testing by qualified security professionals. Identified vulnerabilities are prioritized based on severity and remediated according to documented timelines.

5.3 Security Patching

Critical security patches are applied expeditiously following thorough testing procedures. Routine patches follow scheduled maintenance windows with advance customer notification when service impact is anticipated.

6. Security Monitoring and Incident Response

6.1 Continuous Monitoring

GitScrum employs 24/7 security monitoring using Security Information and Event Management (SIEM) systems to detect, analyze, and respond to security events in real-time.

6.2 Incident Response Plan

We maintain a comprehensive incident response plan that defines procedures for:

  • Detection: Identifying potential security incidents through automated monitoring and reporting mechanisms
  • Containment: Isolating affected systems to prevent incident escalation
  • Eradication: Removing the root cause of the incident
  • Recovery: Restoring normal operations and data integrity
  • Post-Incident Analysis: Conducting thorough reviews to improve future response

6.3 Breach Notification

In the event of a personal data breach that poses risk to individuals' rights and freedoms, GitScrum will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, as required by GDPR Article 33. Affected customers and data subjects will be notified without undue delay when legally required or when we determine notification is appropriate.

7. Regulatory Compliance

7.1 GDPR Compliance

As a company operating in Europe, GitScrum adheres to the European Union's General Data Protection Regulation (GDPR). We implement appropriate technical and organizational measures to ensure data processing security, including:

  • Lawful bases for processing personal data
  • Data subject rights facilitation (access, rectification, erasure, portability)
  • Data Processing Agreements with customers acting as data controllers
  • Privacy by design and by default principles
  • Data Protection Impact Assessments for high-risk processing activities

7.2 Additional Regulatory Alignment

While we do not claim specific certifications beyond what we have achieved, our security controls align with internationally recognized frameworks including ISO 27001, SOC 2 Trust Service Criteria, and NIST Cybersecurity Framework.

8. Personnel Security

8.1 Background Checks

All GitScrum employees with access to customer data undergo background verification appropriate to their role and consistent with applicable laws.

8.2 Security Training

Personnel receive comprehensive security awareness training upon hire and ongoing training on data protection principles, privacy regulations, secure development practices, and emerging threat landscapes. Specialized roles receive additional training specific to their responsibilities.

8.3 Confidentiality Obligations

All employees, contractors, and third parties with access to confidential information are bound by contractual confidentiality and data protection obligations.

9. Third-Party Risk Management

9.1 Vendor Assessment

We conduct thorough security assessments of third-party vendors and service providers before engagement. Assessments evaluate vendors' security controls, compliance posture, data handling practices, and incident response capabilities.

9.2 Contractual Requirements

Agreements with third-party processors include provisions for:

  • Data protection obligations consistent with GDPR requirements
  • Security standards and audit rights
  • Breach notification procedures
  • Data deletion or return upon contract termination

9.3 Ongoing Monitoring

We periodically review third-party security posture and maintain the right to audit subprocessors' compliance with contractual security obligations.

10. Data Retention and Deletion

GitScrum retains customer data only as long as necessary to provide services, comply with legal obligations, or as specified in our Data Processing Agreement. Upon termination or at customer request, we securely delete or return customer data according to documented procedures and applicable regulatory requirements.

11. Business Continuity and Disaster Recovery

We maintain business continuity and disaster recovery plans designed to ensure service resilience and data availability in the event of system failures, natural disasters, or other disruptions. These plans include:

  • Regular data backups with encryption and offsite storage
  • Documented recovery time objectives (RTO) and recovery point objectives (RPO)
  • Periodic testing and plan updates

12. Security Audits and Assessments

GitScrum engages independent third-party security experts to conduct regular security audits, penetration tests, and vulnerability assessments. Findings are reviewed, prioritized, and remediated according to risk severity. While specific audit reports may be confidential, summary information may be available to enterprise customers under appropriate non-disclosure agreements.

13. Customer Security Responsibilities

While GitScrum implements comprehensive security controls, customers share responsibility for:

  • Maintaining strong passwords and enabling MFA
  • Appropriately configuring access permissions for their users
  • Monitoring for suspicious activity within their accounts
  • Promptly reporting suspected security incidents to GitScrum
  • Ensuring their own devices and networks are secure

14. Policy Updates and Transparency

GitScrum reserves the right to update this Security Policy to reflect improvements to our security posture, changes in regulatory requirements, or evolving industry best practices. Material changes will be communicated to customers with reasonable advance notice.

15. Contact Information

For security-related inquiries, questions about this policy, or to report suspected security incidents, please contact:

GitScrum Security Team
Email: security@gitscrum.com
Response Time: We acknowledge security reports within 24 hours

For general privacy inquiries, please refer to our Privacy Policy.

16. Conclusion

Security and privacy are foundational to the trust our customers place in GitScrum. We are committed to continuous improvement of our security program, transparent communication, and partnership with our customers to protect the data entrusted to our platform.