Last updated: 17 July 2026.
Security is central to DeployBeat's design. This page summarizes how we protect your data. Vulnerability reports: security@deploybeat.com.
DeployBeat uses an outbound (push) model: your Git server sends webhooks to us. We never require inbound access to your network, no agent runs on your servers, and no firewall port is opened.
GitHub webhooks are verified by HMAC-SHA256 signature; GitLab webhooks by a per-installation secret token - both with constant-time comparison. Calls from Jira validate the Forge Invocation Token (RS256) against Atlassian's published keys, with issuer, audience and expiry enforced in production. Events are de-duplicated by a deterministic content hash.
All traffic is encrypted in transit with TLS. Data at rest is stored in a managed PostgreSQL database with encryption at rest.
Each installation's data is scoped to that installation. We store only the metadata needed to compute metrics - event references and URLs, Jira issue keys, commit author name, timestamps. We do not store source code, passwords, or payment data.
On uninstall, all of that installation's data is erased from our backend. Deletion or export can be requested at any time.
Atlassian, Railway (backend and PostgreSQL) and Cloudflare (DNS and TLS). See the Privacy Policy and DPA.
Please report suspected vulnerabilities to security@deploybeat.com. We aim to acknowledge within two business days.