Repository security practices

Last updated on 8th January 2026

DeployHQ takes the security of your repository connections and deployment data seriously. This article outlines the security measures we have in place to protect your code and credentials.

OAuth 2.0 Authentication

When connecting your repositories from GitHub, GitLab, Bitbucket, or Azure DevOps, DeployHQ uses OAuth 2.0 authentication. This means:

No password storage: We never ask for or store your Git provider passwords
Token-based access: We use secure OAuth tokens that can be revoked at any time
Limited permissions: We only request the minimum permissions necessary to function
User control: You can revoke DeployHQ's access from your Git provider at any time

How OAuth 2.0 Works

When you connect a repository:

You're redirected to your Git provider's authorization page
You approve DeployHQ's access to your repositories
Your Git provider issues a secure access token to DeployHQ
DeployHQ uses this token for all repository operations
No passwords are exchanged or stored in this process

Data Encryption

All sensitive data in DeployHQ is protected through multiple layers of encryption:

Encryption at Rest

AES-256 encryption: All sensitive data (SSH keys, API tokens, credentials) is encrypted at rest using industry-standard AES-256 encryption
Secure key management: Encryption keys are stored separately from encrypted data
Database encryption: Sensitive fields in our database are encrypted using Rails' built-in encryption

Encryption in Transit

TLS/SSL connections: All data transmitted between your browser and DeployHQ uses TLS 1.2 or higher
Secure API connections: All API requests and responses are encrypted
Repository connections: Communications with your Git providers use HTTPS
Server deployments: File transfers use SFTP, SCP, or other encrypted protocols

Compliance and Security Standards

DeployHQ maintains compliance with industry security standards:

Data protection: We comply with EU General Data Protection Regulation requirements
User rights: You have full control over your data, including the right to export or delete
Privacy by design: Security and privacy are built into our systems from the ground up

SSL/TLS Everywhere

Secure connections: All connections to DeployHQ use TLS 1.2 or higher encryption
Certificate validation: We use industry-standard SSL certificates to ensure secure communications
No unencrypted data: All data transmission is encrypted end-to-end
HTTPS enforcement: HTTP requests are automatically redirected to HTTPS

Security Best Practices

To ensure maximum security when using DeployHQ, we recommend:

Repository Access

Use OAuth where possible: OAuth 2.0 is more secure than SSH keys for repository access
Rotate credentials regularly: Periodically regenerate API keys and SSH keys
Use deploy keys: For self-hosted repositories, use read-only deploy keys when possible
Limit access scope: Only grant the minimum permissions necessary

Account Security

Enable two-factor authentication: Add an extra layer of security to your DeployHQ account
Use strong passwords: Create unique, complex passwords for your account
Monitor active sessions: Regularly review and revoke unused browser sessions from your security settings
Review API keys: Periodically audit and remove unused API keys

Deployment Security

Use secure protocols: Always use SFTP or SCP for server deployments, not FTP
Restrict IP addresses: Limit deployment access to known IP addresses where possible
Review deployment logs: Regularly check deployment logs for unusual activity
Protect environment variables: Use DeployHQ's secure environment variables feature for sensitive configuration

Network Security

DeployHQ's infrastructure includes multiple security layers:

DDoS protection: Automatic protection against distributed denial-of-service attacks
Firewall protection: Multi-layered firewall rules protect our infrastructure
Intrusion detection: Automated systems monitor for suspicious activity
Regular security scans: Continuous vulnerability scanning and patching

Data Retention and Deletion

Repository Caching

DeployHQ temporarily caches your repository locally to accelerate deployments:

Cache duration: 7 days for free accounts, 14 days for paid accounts
Purpose: Faster deployments only - we do not keep permanent copies of your repository
Automatic cleanup: Local caches are automatically removed if no deployments occur within the retention period
Your code remains yours: The original repository always remains with your Git provider (GitHub, GitLab, Bitbucket, etc.)
On-demand removal: You can manually clear the repository cache at any time from your project settings

Data Retention Policies

Deployment logs: Retained for 90 days by default
Account deletion: Complete data removal within 30 days of account deletion request
Right to erasure: You can request deletion of your data at any time
Repository caches: Automatically removed after retention period or when project is deleted

Incident Response

In the unlikely event of a security incident:

Immediate notification: We notify affected users within 72 hours of discovering a breach
Transparent communication: We provide clear information about what happened and what data was affected
Remediation steps: We work quickly to resolve issues and prevent future incidents
Post-incident review: We conduct thorough reviews to improve our security practices

Reporting Security Issues

If you discover a security vulnerability in DeployHQ:

Contact us immediately: Email security@deployhq.com with details
Responsible disclosure: We appreciate responsible disclosure and will credit researchers
Bug bounty: We offer rewards for valid security reports

Additional Resources

Security settings: Configure your personal security options in your account settings
Two-factor authentication: Learn how to enable 2FA for your account
API security: Best practices for securing API access
SSH key management: How to manage SSH keys securely

For questions about our security practices, please contact our support team or email security@deployhq.com.