Security Statement

of Quantified Code UG (hereinafter: "QC")

Security is our major concern when it comes to your source code. At QC, we make sure our infrastructure is protected and secure so that your most valuable asset is safe and protected from unauthorized access.

  • System Security
    • All traffic from and to our website is encrypted using SSL/TLS. This includes the traffic between your computer and our website as well as the traffic to our data centers.
    • On top of the SSL/TLS encryption, your account and your data are protected by a user id and password. Password-protected areas can be accessed only with a valid password.
  • Data Storage
    • Your data is stored on virtualized servers on Microsoft Azure, located in their datacenter in the Netherlands.
    • Microsoft Azure is compliant with the E.U. Data Protection Directive (95/46/EC) and is compliant with several compliance programs including ISO 27001:2005 and HIPAA.
    • Detailed information about Azure's security measures can be found in Azure's Security and Privacy policies.
  • 3rd-Party services used
    • QC uses 3rd-party services to run this plattform (e.g., to handle customer inquiries). Please refer to our Privacy Policy to learn more.
  • Backups
    • Database backups are performed daily for QC, and maintained for a minimum of seven days.
  • How does QC access my GitHub account?
    • When you sign up for QC, we collect an OAuth token from GitHub, which allows us to request data from the GitHub API on your behalf.
    • This OAuth token is stored securely in our database and is protected from unauthorized access.
    • The token is bound to permissions set on GitHub, so please make sure you've read their documentation on access control and API access permissions.
    • We currently request the following permissions from you when signing up with Github:
      Name Description
      user:email Grants read access to a user’s email addresses.
      public_repo Grants read/write access to code, commit statuses, and deployment statuses for public repositories and organizations.
      read:repo_hook Grants read and ping access to hooks in public or private repositories.
      write:repo_hook Grants read, write, and ping access to hooks in public or private repositories.
      admin:repo_hook Grants read, write, ping, and delete access to hooks in public or private repositories.
      read:org Read-only access to organization, teams, and membership.

      For futher information visit https://developer.github.com/v3/oauth/#scopes.

    • We use this token in these situations, and under no other circumstances than described below:
      • To synchronize the repositories you have access to. We use this information to show you the available repositories on your profile page so you can enable or disable the code analysis for these repositories.
      • To configure web hooks on a repository you configure to run on QC.
      • To generate and store an SSH key on GitHub, which is used to access your source code on your build machines. We store this key securely and use it every time we get a build notification from GitHub to access your source code on our machines.

      We never access your source code manually, except when explicitly requested by you, e.g., to debug problems with QC.

  • What data does QC store from GitHub?
    • When you push code to GitHub for a repository that is set up to be analyzed on QC, we get a push notification. The same is true for pull requests that are sent to us. These notifications don't include any sensitive information other than commit references, names of files changed, and who authored and committed the changes. We store these notifications for debugging purposes, and for debugging purposes only.
  • How does QC access my source code?
    • The only time we access your repository directly is when checking out the source code. Your source code is only accessed via SSH, using SSH keys for authentication. Each project set up on QC gets its own SSH key and you'll receive an email notification when we add it to your project. This step happens when you set up the project on QC for the first time.
  • What happens to my source code if I cancel my QC account?
    • No matter if you cancel your account or if you remove your project from analysis — in both cases the source code of your private repositories will be safely erased from our servers.
  • I have more questions about security and QC!
    • Contact us, and we'll get back to you right away!