How we handle your code, your secrets, and your data.
The page procurement teams actually read first.
What we never do.
- We dont train any model on your code. PearlGit isnt an AI product. We dont read your repositories to feed analytics or train embeddings — yours or anyone elses.
- We dont ship unsigned binaries. Every release is code-signed; manifests are signed too.
- We dont store provider secrets in plaintext. Webhook secrets, Actions secrets, and OAuth tokens are encrypted at rest with a master key kept outside the database.
- We dont load third-party trackers on the marketing site or the dashboard. No advertising networks, no session-replay tools.
Authentication & SSO.
Sign-in is delegated to Loop SSO (PearlFibers identity service) via OpenID Connect with PKCE. We never see your password.
Access tokens are RS256-signed JWTs verified against the auth JWKS endpoint with key rotation support. Refresh tokens rotate on use; reuse of a previously-rotated refresh token revokes the entire chain.
For workspace accounts, we support:
- OIDC on Team plans — Okta, Auth0, Azure AD, Google Workspace, Keycloak, and any compliant provider.
- SAML 2.0 on Enterprise plans.
- SCIM 2.0 on Enterprise plans on request, for automated user and group provisioning.
- Two-factor authentication on every plan (TOTP and WebAuthn / hardware keys).
- Signed commits enforceable per branch via branch protection.
Where your data lives.
PearlGit Cloud runs on PearlFibers-operated infrastructure. Repositories, metadata, audit logs, and backups all live in our primary region. Backups are encrypted at the storage layer and kept in the same region.
For specific data-residency or sovereign-region requirements, talk to sales — both are available on Enterprise.
For self-hosted deployments you decide where the data lives. The PearlGit binary is the same product as our cloud — same UI, same API, same data model. We provide a documented backup & restore procedure plus a built-in dump command for one-shot exports.
Encryption.
- In transit: TLS 1.2+ on every endpoint — web, Git over HTTPS, SSH, API, package registries.
- At rest: database volumes encrypted at the storage layer. Repository data on encrypted filesystems.
- Application secrets: OAuth tokens, webhook secrets, Actions secrets, and user-supplied keys are encrypted with libsodium
crypto_secretboxusing a master key kept outside the database. - SSH host keys are rotated annually with overlap windows so existing client configurations dont break on rotation day.
Access controls in the product.
- Branch protection — default branch, release branches, any pattern. Force required reviewers, status checks, signed commits, and linear history.
- Code owners via
CODEOWNERS. Mention-based assignment and required-review enforcement. - Repository visibility — public, private, internal (visible across the org but not the world).
- Team permissions — read, triage, write, maintain, admin per team per repository.
- Personal access tokens with scoped permissions and per-token revocation.
- Deploy keys per repository for read-only or write CI access.
Audit logging.
Every state change in the system is recorded in an append-only audit log: sign-ins, repo creation, permission changes, branch-protection rules, secret rotations, webhook triggers, billing changes, and admin actions.
Available levels:
- Starter — basic activity log per repository.
- Team — org-scoped audit log, filterable by user and action, exportable to JSON.
- Enterprise — instance-scoped and org-scoped audit log, with webhook + pull-API delivery to your SIEM.
Audit log retention is indefinite for compliance.
Retention.
- Repositories kept until deleted. Soft-delete with 30-day undelete window before purge.
- Backups retained per contract (default 30 days on Team, configurable on Enterprise).
- Audit log kept indefinitely (compliance record).
- Webhook delivery logs 30 days.
- Diagnostic / server logs 30 days, PII-stripped.
- Account deletion cascades through backups within 30 days.
Vulnerability reporting.
Found a security issue? Email security@pearlfibers.com with reproduction steps. We acknowledge within one business day and aim to fix critical issues within seven days.
Please dont disclose publicly until weve shipped the fix. We credit reporters in the changelog when they want it.
Compliance posture.
PearlFibers operates under formal information-security policies aligned with SOC 2 Type II controls. Certification reports, the DPA, and the subprocessor list are available under NDA on Enterprise engagements.
For regulated workloads or formal compliance reviews, email security@pearlfibers.com with the framework you need to align against (SOC 2, ISO 27001, HIPAA BAA, GDPR DPA, etc.) and well share the relevant materials.
Need a deeper review?
For regulated workloads, send us your security questionnaire and well fill it in. Most come back within 3 business days.