Security at DXSignal
Your data security and privacy are our top priorities. Learn how we protect your information.
Last updated: November 30, 2025
Authentication & Access Control
Auth0 Identity Platform
DXSignal uses Auth0, an industry-leading identity management platform, to handle all user authentication and authorization. Auth0 provides:
- Enterprise-grade security with multi-factor authentication (MFA) support
- Social login integration (GitHub, Google, Microsoft) with OAuth 2.0
- Secure password hashing using bcrypt with automatic salt generation
- Protection against brute force attacks and credential stuffing
- Anomaly detection and adaptive authentication
- Designed with GDPR compliance in mind; formal ISO 27001 certification in progress
Role-Based Access Control (RBAC)
We implement granular role-based permissions to ensure users only access data they're authorized to view:
- Organization-level access controls for team management
- Repository-specific permissions aligned with your source control settings
- Team-based data isolation to prevent unauthorized access
- Admin, member, and viewer roles with appropriate privileges
Data Encryption
Encryption in Transit
- All data transmitted between your browser and our servers is encrypted using TLS 1.3
- HTTPS enforcement on all endpoints with HSTS (HTTP Strict Transport Security)
- Strong cipher suites with forward secrecy
- Certificate transparency and regular SSL/TLS certificate rotation
Encryption at Rest
- All databases are encrypted using AES-256 encryption
- Integration access tokens are individually encrypted with authenticated AES-256-GCM before storage, with tamper detection
- Automated backups are encrypted and stored securely
- Encryption keys are managed using industry-standard key management systems
Infrastructure Security
Cloud Infrastructure
- Hosted on Microsoft Azure with enterprise-grade certified infrastructure
- Multi-region deployment with automatic failover capabilities
- Network isolation using Virtual Private Clouds (VPCs)
- Distributed denial-of-service (DDoS) protection
- Web Application Firewall (WAF) to filter malicious traffic
Application Security
- Regular security updates and patch management
- Dependency scanning and automated vulnerability detection
- Input validation and sanitization to prevent injection attacks
- Content Security Policy (CSP) headers to mitigate XSS attacks
- Rate limiting and API throttling to prevent abuse
Data Privacy & Protection
Minimal Data Collection
We follow the principle of data minimization, collecting only the information necessary to provide our services:
- Engineering metrics data (deployments, pull requests, builds)
- Repository and organization metadata
- User account information (email, name, authentication data managed by Auth0)
- Usage analytics to improve the platform
Data Retention
- Metrics data is retained according to your subscription plan
- User account data is retained while your account is active
- Deleted data is purged from production systems within 30 days
- Backup retention follows our disaster recovery policies
Data Isolation
- Logical data separation ensures organizations cannot access each other's data
- Database-level access controls and query filtering
- Regular audits of access patterns and permissions
Third-Party Integrations
DXSignal integrates with your development tools using secure OAuth 2.0 authentication:
Integration Security
- GitHub, GitLab, Azure DevOps, Bitbucket: OAuth tokens with minimal required permissions (read-only access to repositories and metadata)
- Jira: API tokens with read-only access to projects, issues, and boards
- Stripe: PCI DSS compliant payment processing; we never store credit card information
- Auth0: Industry-leading identity management with enterprise-grade security
- All integration credentials are encrypted and stored securely
- Tokens can be revoked at any time from your account settings
- Regular security audits of third-party dependencies
Webhook Security
- All webhook payloads are verified using cryptographic signatures
- IP allowlisting available for enterprise customers
- Webhook endpoints protected by authentication tokens
- Automatic retry with exponential backoff and failure notifications
Monitoring & Incident Response
Continuous Monitoring
- 24/7 system monitoring for security events and anomalies
- Real-time alerts for suspicious activities and potential threats
- Automated intrusion detection and prevention systems
- Regular security audits and penetration testing
- Comprehensive logging of access and authentication events
Incident Response
In the event of a security incident, we have a comprehensive response plan:
- Immediate containment and mitigation procedures
- Forensic analysis to determine scope and impact
- Transparent communication with affected customers
- Post-incident review and improvement process
- Coordination with law enforcement when necessary
Compliance & Certifications
DXSignal is committed to meeting industry standards and regulatory requirements:
- GDPR: Full compliance with EU General Data Protection Regulation
- CCPA: Compliance with California Consumer Privacy Act
- Infrastructure Security: Our infrastructure providers maintain industry-leading security certifications
- ISO 27001: We follow ISO 27001 information security management principles; formal certification in progress
- PCI DSS: Payment Card Industry Data Security Standard (via Stripe)
We regularly update our security practices to align with evolving standards and best practices.
Employee Access & Training
- Strict access controls limit employee access to customer data
- Multi-factor authentication (MFA) required for all employee accounts
- Regular security awareness training for all team members
- Background checks for employees with access to sensitive systems
- Secure development lifecycle training and code review practices
- Access is logged and audited regularly
Business Continuity
Backups & Disaster Recovery
- Automated daily backups with point-in-time recovery
- Backups encrypted and stored in geographically diverse locations
- Regular disaster recovery testing and drills
- Uptime targets and SLA terms included in Enterprise agreements
- Documented business continuity and disaster recovery plans
Reporting Security Vulnerabilities
We take security vulnerabilities seriously and appreciate responsible disclosure from the security research community.
How to Report
If you discover a security vulnerability, please report it to us immediately:
- Email: security@dxsignal.com
- Include detailed information about the vulnerability and steps to reproduce
- Allow us reasonable time to address the issue before public disclosure
- We do not currently offer a bug bounty program, but we greatly appreciate responsible disclosure
Our Commitment
- We will acknowledge receipt of your report within 24 hours
- We will provide regular updates on our progress
- We will credit researchers who responsibly disclose vulnerabilities (with permission)
- We will not pursue legal action against researchers who follow responsible disclosure practices
Your Responsibilities
While we implement comprehensive security measures, security is a shared responsibility:
- Keep your Auth0 account credentials secure and confidential
- Enable multi-factor authentication (MFA) on your account
- Use strong, unique passwords for your DXSignal account
- Review and manage connected integrations and OAuth permissions regularly
- Report any suspicious activity or unauthorized access immediately
- Keep your team members' access permissions up to date
- Revoke access for team members who no longer need it
Questions About Security?
We're committed to transparency about our security practices. If you have questions or concerns about security at DXSignal, please contact us:
- Security Issues: security@dxsignal.com
- General Questions: support@dxsignal.com
- Enterprise Security Inquiries: enterprise@dxsignal.com
For enterprise customers, we can provide additional security documentation including penetration testing results and detailed architecture diagrams upon request with appropriate NDAs in place.