Home

Security

Quick Summary:
We collect only metadata; Source code is not stored; UK/EU hosting; GDPR compliant

What We Collect

Metadata Only:

  • Commit timestamps and author identifiers
  • Pull request events (opened, reviewed, merged)
  • Code review participation
  • Branch and merge activity

What We DON'T Store:

  • Source code content
  • Commit message text
  • Private repository files
  • Special category data (health, religion, race, etc.)

Note: We do not store or persist source code. Metrics are derived via authorized APIs without retaining code content.

Data Location & Transfer

Primary Storage: UK and EU only (AWS London and Frankfurt regions)

Data is hosted in UK and EU regions. If international transfers are ever required, appropriate safeguards (UK IDTA or EU SCCs) are used.

Redundancy: Multi-region backup within EU

Security Measures

Encryption

  • In Transit: TLS 1.2 or higher
  • At Rest: AES-256

Access Control

  • Multi-factor authentication (MFA) for all admin access
  • Role-based access control (RBAC)
  • Principle of least privilege
  • Regular access reviews

Monitoring & Response

  • 24/7 security monitoring
  • Automated threat detection
  • 72-hour breach notification commitment
  • Documented incident response plan

Compliance

Standards & Regulations:

  • Compliant with UK GDPR and applicable UK data protection laws.
  • Working towards SOC 2 Type II certification.

Our Role

Data Processor: We process data on your behalf. You remain the Data Controller.

Your Responsibilities:

  • Obtain lawful basis for processing employee data under UK GDPR
  • Inform employees about data collection and use
  • Conduct legitimate interests assessments or Data Protection Impact Assessments where appropriate
  • Ensure compliance with employment law

Our Responsibilities:

  • Process data only per your instructions
  • Implement appropriate security measures
  • Notify you of data breaches within 72 hours
  • Assist with data subject rights requests
  • Delete data upon request

Integration Security

  • OAuth 2.0 Authentication: Secure, token-based access to GitHub and GitLab
  • Read-Only Access: We only request read permissions from version control systems
  • Minimal Permissions: Only what's needed for analytics
  • Revocable: You can revoke access anytime from your GitHub/GitLab settings
  • Customer Control: GitHub and GitLab accounts remain under your control. We access them via APIs you authorize.

Data Retention & Deletion

  • Active Account: Data retained during subscription term
  • After Cancellation: 30 days to export your data
  • Deletion: Permanent deletion within 30 days of cancellation

Backups are retained for a limited period in accordance with our backup rotation cycles (typically up to 90 days).

Certification: Written certification of deletion available on request

Third-Party Sub-processors

Amazon Web Services (AWS): Cloud infrastructure hosting (UK/EU regions: London and Frankfurt only)

Important: GitHub and GitLab are third-party services controlled by you (the customer). Efiros accesses them via customer-authorized APIs. The relevant provider acts as an independent controller or processor under your agreement with that provider.

Changes: We provide 30 days' notice before adding new sub-processors. You may object on reasonable data protection grounds.

Security Contact

Security Issues: security@efiros.com

Privacy Questions: privacy@efiros.com

Data Protection Inquiries: privacy@efiros.com

General Support: support@efiros.com

Certifications & Audits

Current Status: Working towards SOC 2 Type II certification

For Enterprise Customers:

  • Security documentation available on request
  • Willing to complete security questionnaires
  • Response to vendor security assessments
  • Annual audit rights available (Enterprise plans only)

Standard Plans: Security information provided via documentation and questionnaires. On-site audits not generally permitted for standard plans.

Additional Information

For detailed information about our data practices, please see:

  • Privacy Policy
  • Terms of Service
  • Data Processing Addendum (available in Service Agreements)

Supervisory Authority: Information Commissioner's Office (ICO) | https://ico.org.uk

Efiros Ltd | Registered in England and Wales | https://efiros.com/legal

Last updated: 2026-01-18