Data security & privacy are in our DNA
We take security and privacy seriously here at Bearer. Our values reflect on our product, on who we work with, and on how we operate. That is by design, to protect your organization, and we are proud of it.

Controlled access
Bearer never clones repositories nor store source code ever. Bearer processes metadata only.

Encrypted data
Bearer does not store user authentication data. All data is encrypted when in transit and at rest.

Cloud-based
Bearer infrastructure runs on Amazon Web Services. We run inside a private network, with strict access.

Holistic security
All auth, data access, & infra providers are secure. All providers are SOC, ISO or PCI compliant.
Engineered to keep your data safe

Control data requests
Bearer integrates with your Source Code Management (SCM) software or your CI/CD pipeline (see the documentation for more details) and perform Static Code Analysis (SCA) on your code repositories to discover and classify data, and detect security risks.
In order to keep your sensitive data inside your private network and limit the files Bearer can access, and the actions that Bearer can perform, we use a Broker. The Bearer Broker acts as a proxy between Bearer and your code repositories.
The Broker maintains an approved data list for inbound and outbound data requests.
Only requests included in this approved list are allowed. By default, only metadata is sent to our infrastructure for processing and storing. You always have complete control over which data you are sending to Bearer.
.png)
Security & privacy by design
Your data, your choice
- You choose what repositories you want to scan.
- Our Broker only has permission to access your repositories / projects and pull / merge requests.
- You have complete control over the data you send to Bearer.
- We only use metadata. You always keep your sensitive data inside your private network.
- We do not use your source code, nor clone or store code repositories.
- You can opt repositories or projects out at any point.
- Bearer purges or archives data according to customer requests or legal and regulatory mandates.
- Your data are only kept for the period of your subscription. They are completely removed from our server as soon as you cancel your subscription.
Secure at every step
- Users authenticate via WorkOS (SOC 2) using SAML.
- We do not store user authentication data.
- All data in transit is encrypted using TLS.
- All data stored is encrypted using AES-256.
- Bearer runs on Amazon Web Services (ISO 27001, IS 27017, ISO 27018 SOC 1/2/3, PCI).
- We monitor and protect our network, to make sure no unauthorized access is performed using a virtual private cloud (VPC), a bastion host and no public IP addresses.
- Monitored internally by the team and automation (Dependabot, Sqreen and more) and externally via independent penetration testing and according to our Vulnerability Disclosure Policy.
- We develop following security best practices (OWASP Top 10).
Designed for your privacy
- We care about your privacy. Read our full policy for more information. No legalese, we promise.
Build with care
- Prior to reaching production, changes are made in code branches and go through code review, testing, CI/CD and QA steps, involving multiple people and separate environments with no customer data.
- We version-control our source code and infrastructure via Github and have logs of the versions and individuals involved. All changes need to be approved first.
- We collect and store logs to provide an audit trail of our application activity.
- Application performance is tracked via Datadog (ISO 27001, ISO 27017, ISO 27018, SOC 2).
- Incidents are communicated, logged and tracked down to resolution via a priority workflow; rollback procedures are available.
Trustworthy people & partners
- The executives of Bearer are directly involved in security & privacy to ensure we stand by our values in practice.
- Employees are screened for our values and sign a Non-Disclosure and Confidentiality clause.
- Strict internal procedures prevent any employee or administrator from gaining access to user data.
- Strict policies provide access on a least permissions, per-role basis. They are reviewed and revoked on a regular schedule and per event.
- Secure workstations and best practices are provided to the team. Identity and authentication are ensured via 2-Step Verification enabled G-Suite SSO.
- Amazon Web Services (ISO 27001, ISO 27017, ISO 27018 SOC 1 / 2 / 3)
- Datadog (ISO 27001, ISO 27017, ISO 27018, SOC 2)
- GitHub (SOC 1 / 2)
- Outreach (ISO 27001, SOC 2)
- Salesforce (ISO 27001, ISO 27017, ISO 27018, SOC 1 / 2 / 3)
- Sentry (ISO 27001, SOC 2)
- Twilio (ISO 27001, ISO 27017, ISO 27018, SOC 2)
- Webflow (SOC 2)
- WorkOS (SOC 2)
- Zapier (SOC 2)
- Zendesk (ISO 27001, ISO 27018)
- Stripe (PCI certified, TLS encrypted).
- No payment information is ever stored by Bearer.
- All vendors and providers are individually filtered based on their reputation, security, data permissions and risk added or mitigated.