DeployBeat
WhyHowMetricsGet early access

Security Overview

Last updated: 17 July 2026.

Security is central to DeployBeat's design. This page summarizes how we protect your data. Vulnerability reports: security@deploybeat.com.

Architecture

DeployBeat uses an outbound (push) model: your Git server sends webhooks to us. We never require inbound access to your network, no agent runs on your servers, and no firewall port is opened.

Authentication and integrity

GitHub webhooks are verified by HMAC-SHA256 signature; GitLab webhooks by a per-installation secret token - both with constant-time comparison. Calls from Jira validate the Forge Invocation Token (RS256) against Atlassian's published keys, with issuer, audience and expiry enforced in production. Events are de-duplicated by a deterministic content hash.

Encryption

All traffic is encrypted in transit with TLS. Data at rest is stored in a managed PostgreSQL database with encryption at rest.

Tenant isolation and data minimization

Each installation's data is scoped to that installation. We store only the metadata needed to compute metrics - event references and URLs, Jira issue keys, commit author name, timestamps. We do not store source code, passwords, or payment data.

Data lifecycle

On uninstall, all of that installation's data is erased from our backend. Deletion or export can be requested at any time.

Sub-processors

Atlassian, Railway (backend and PostgreSQL) and Cloudflare (DNS and TLS). See the Privacy Policy and DPA.

Reporting a vulnerability

Please report suspected vulnerabilities to security@deploybeat.com. We aim to acknowledge within two business days.

© 2026 DeployBeatPrivacy · Terms · Security · DPA · hello@deploybeat.com