DeployHQ takes the security of your repository connections and deployment data seriously. This article outlines the security measures we have in place to protect your code and credentials. ## OAuth 2.0 Authentication When connecting your repositories from GitHub, GitLab, Bitbucket, or Azure DevOps, DeployHQ uses OAuth 2.0 authentication. This means: * **No password storage**: We never ask for or store your Git provider passwords * **Token-based access**: We use secure OAuth tokens that can be revoked at any time * **Limited permissions**: We only request the minimum permissions necessary to function * **User control**: You can revoke DeployHQ's access from your Git provider at any time ### How OAuth 2.0 Works When you connect a repository: 1. You're redirected to your Git provider's authorization page 2. You approve DeployHQ's access to your repositories 3. Your Git provider issues a secure access token to DeployHQ 4. DeployHQ uses this token for all repository operations 5. No passwords are exchanged or stored in this process ## Data Encryption All sensitive data in DeployHQ is protected through multiple layers of encryption: ### Encryption at Rest * **AES-256 encryption**: All sensitive data (SSH keys, API tokens, credentials) is encrypted at rest using industry-standard AES-256 encryption * **Secure key management**: Encryption keys are stored separately from encrypted data * **Database encryption**: Sensitive fields in our database are encrypted using Rails' built-in encryption ### Encryption in Transit * **TLS/SSL connections**: All data transmitted between your browser and DeployHQ uses TLS 1.2 or higher * **Secure API connections**: All API requests and responses are encrypted * **Repository connections**: Communications with your Git providers use HTTPS * **Server deployments**: File transfers use SFTP, SCP, or other encrypted protocols ## Compliance and Security Standards DeployHQ maintains compliance with industry security standards: ### GDPR Compliance * **Data protection**: We comply with EU General Data Protection Regulation requirements * **User rights**: You have full control over your data, including the right to export or delete * **Privacy by design**: Security and privacy are built into our systems from the ground up ### SSL/TLS Everywhere * **Secure connections**: All connections to DeployHQ use TLS 1.2 or higher encryption * **Certificate validation**: We use industry-standard SSL certificates to ensure secure communications * **No unencrypted data**: All data transmission is encrypted end-to-end * **HTTPS enforcement**: HTTP requests are automatically redirected to HTTPS ## Security Best Practices To ensure maximum security when using DeployHQ, we recommend: ### Repository Access * **Use OAuth where possible**: OAuth 2.0 is more secure than SSH keys for repository access * **Rotate credentials regularly**: Periodically regenerate API keys and SSH keys * **Use deploy keys**: For self-hosted repositories, use read-only deploy keys when possible * **Limit access scope**: Only grant the minimum permissions necessary ### Account Security * **Enable two-factor authentication**: Add an extra layer of security to your DeployHQ account * **Use strong passwords**: Create unique, complex passwords for your account * **Monitor active sessions**: Regularly review and revoke unused browser sessions from your security settings * **Review API keys**: Periodically audit and remove unused API keys ### Deployment Security * **Use secure protocols**: Always use SFTP or SCP for server deployments, not FTP * **Restrict IP addresses**: Limit deployment access to known IP addresses where possible * **Review deployment logs**: Regularly check deployment logs for unusual activity * **Protect environment variables**: Use DeployHQ's secure environment variables feature for sensitive configuration ## Network Security DeployHQ's infrastructure includes multiple security layers: * **DDoS protection**: Automatic protection against distributed denial-of-service attacks * **Firewall protection**: Multi-layered firewall rules protect our infrastructure * **Intrusion detection**: Automated systems monitor for suspicious activity * **Regular security scans**: Continuous vulnerability scanning and patching ## Data Retention and Deletion ### Repository Caching DeployHQ temporarily caches your repository locally to accelerate deployments: * **Cache duration**: 7 days for free accounts, 14 days for paid accounts * **Purpose**: Faster deployments only - we do not keep permanent copies of your repository * **Automatic cleanup**: Local caches are automatically removed if no deployments occur within the retention period * **Your code remains yours**: The original repository always remains with your Git provider (GitHub, GitLab, Bitbucket, etc.) * **On-demand removal**: You can manually clear the repository cache at any time from your project settings ### Data Retention Policies * **Deployment logs**: Retained for 90 days by default * **Account deletion**: Complete data removal within 30 days of account deletion request * **Right to erasure**: You can request deletion of your data at any time * **Repository caches**: Automatically removed after retention period or when project is deleted ## Incident Response In the unlikely event of a security incident: * **Immediate notification**: We notify affected users within 72 hours of discovering a breach * **Transparent communication**: We provide clear information about what happened and what data was affected * **Remediation steps**: We work quickly to resolve issues and prevent future incidents * **Post-incident review**: We conduct thorough reviews to improve our security practices ## Reporting Security Issues If you discover a security vulnerability in DeployHQ: * **Contact us immediately**: Email [security@deployhq.com](mailto:security@deployhq.com) with details * **Responsible disclosure**: We appreciate responsible disclosure and will credit researchers * **Bug bounty**: We offer rewards for valid security reports ## Additional Resources * **Security settings**: Configure your personal security options in your [account settings](Article: #177) * **Two-factor authentication**: Learn how to enable 2FA for your account * **API security**: Best practices for securing API access * **SSH key management**: How to manage SSH keys securely For questions about our security practices, please contact our support team or email [security@deployhq.com](mailto:security@deployhq.com).