DXSignalDXSignal

Security at DXSignal

Your data security and privacy are our top priorities. Learn how we protect your information.

Last updated: November 30, 2025

Authentication & Access Control

Auth0 Identity Platform

DXSignal uses Auth0, an industry-leading identity management platform, to handle all user authentication and authorization. Auth0 provides:

  • Enterprise-grade security with multi-factor authentication (MFA) support
  • Social login integration (GitHub, Google, Microsoft) with OAuth 2.0
  • Secure password hashing using bcrypt with automatic salt generation
  • Protection against brute force attacks and credential stuffing
  • Anomaly detection and adaptive authentication
  • Compliance with SOC 2 Type II, ISO 27001, and GDPR standards

Role-Based Access Control (RBAC)

We implement granular role-based permissions to ensure users only access data they're authorized to view:

  • Organization-level access controls for team management
  • Repository-specific permissions aligned with your source control settings
  • Team-based data isolation to prevent unauthorized access
  • Admin, member, and viewer roles with appropriate privileges

Data Encryption

Encryption in Transit

  • All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • HTTPS enforcement on all endpoints with HSTS (HTTP Strict Transport Security)
  • Strong cipher suites with forward secrecy
  • Certificate transparency and regular SSL/TLS certificate rotation

Encryption at Rest

  • All databases are encrypted using AES-256 encryption
  • API tokens and sensitive credentials are encrypted before storage
  • Automated backups are encrypted and stored securely
  • Encryption keys are managed using industry-standard key management systems

Infrastructure Security

Cloud Infrastructure

  • Hosted on Microsoft Azure with SOC 2 Type II certified infrastructure
  • Multi-region deployment with automatic failover capabilities
  • Network isolation using Virtual Private Clouds (VPCs)
  • Distributed denial-of-service (DDoS) protection
  • Web Application Firewall (WAF) to filter malicious traffic

Application Security

  • Regular security updates and patch management
  • Dependency scanning and automated vulnerability detection
  • Input validation and sanitization to prevent injection attacks
  • Content Security Policy (CSP) headers to mitigate XSS attacks
  • Rate limiting and API throttling to prevent abuse

Data Privacy & Protection

Minimal Data Collection

We follow the principle of data minimization, collecting only the information necessary to provide our services:

  • Engineering metrics data (deployments, pull requests, builds)
  • Repository and organization metadata
  • User account information (email, name, authentication data managed by Auth0)
  • Usage analytics to improve the platform

Data Retention

  • Metrics data is retained according to your subscription plan
  • User account data is retained while your account is active
  • Deleted data is purged from production systems within 30 days
  • Backup retention follows our disaster recovery policies

Data Isolation

  • Logical data separation ensures organizations cannot access each other's data
  • Database-level access controls and query filtering
  • Regular audits of access patterns and permissions

Third-Party Integrations

DXSignal integrates with your development tools using secure OAuth 2.0 authentication:

Integration Security

  • GitHub, GitLab, Azure DevOps, Bitbucket: OAuth tokens with minimal required permissions (read-only access to repositories and metadata)
  • Stripe: PCI DSS compliant payment processing; we never store credit card information
  • Auth0: Industry-leading identity management with enterprise-grade security
  • All integration credentials are encrypted and stored securely
  • Tokens can be revoked at any time from your account settings
  • Regular security audits of third-party dependencies

Webhook Security

  • All webhook payloads are verified using cryptographic signatures
  • IP allowlisting available for enterprise customers
  • Webhook endpoints protected by authentication tokens
  • Automatic retry with exponential backoff and failure notifications

Monitoring & Incident Response

Continuous Monitoring

  • 24/7 system monitoring for security events and anomalies
  • Real-time alerts for suspicious activities and potential threats
  • Automated intrusion detection and prevention systems
  • Regular security audits and penetration testing
  • Comprehensive logging of access and authentication events

Incident Response

In the event of a security incident, we have a comprehensive response plan:

  • Immediate containment and mitigation procedures
  • Forensic analysis to determine scope and impact
  • Transparent communication with affected customers
  • Post-incident review and improvement process
  • Coordination with law enforcement when necessary

Compliance & Certifications

DXSignal is committed to meeting industry standards and regulatory requirements:

  • GDPR: Full compliance with EU General Data Protection Regulation
  • CCPA: Compliance with California Consumer Privacy Act
  • SOC 2 Type II: Our infrastructure providers maintain SOC 2 certification
  • ISO 27001: Information security management system standards
  • PCI DSS: Payment Card Industry Data Security Standard (via Stripe)

We regularly update our security practices to align with evolving standards and best practices.

Employee Access & Training

  • Strict access controls limit employee access to customer data
  • Multi-factor authentication (MFA) required for all employee accounts
  • Regular security awareness training for all team members
  • Background checks for employees with access to sensitive systems
  • Secure development lifecycle training and code review practices
  • Access is logged and audited regularly

Business Continuity

Backups & Disaster Recovery

  • Automated daily backups with point-in-time recovery
  • Backups encrypted and stored in geographically diverse locations
  • Regular disaster recovery testing and drills
  • 99.9% uptime SLA for enterprise customers
  • Documented business continuity and disaster recovery plans

Reporting Security Vulnerabilities

We take security vulnerabilities seriously and appreciate responsible disclosure from the security research community.

How to Report

If you discover a security vulnerability, please report it to us immediately:

  • Email: security@dxsignal.com
  • Include detailed information about the vulnerability and steps to reproduce
  • Allow us reasonable time to address the issue before public disclosure
  • We do not currently offer a bug bounty program, but we greatly appreciate responsible disclosure

Our Commitment

  • We will acknowledge receipt of your report within 24 hours
  • We will provide regular updates on our progress
  • We will credit researchers who responsibly disclose vulnerabilities (with permission)
  • We will not pursue legal action against researchers who follow responsible disclosure practices

Your Responsibilities

While we implement comprehensive security measures, security is a shared responsibility:

  • Keep your Auth0 account credentials secure and confidential
  • Enable multi-factor authentication (MFA) on your account
  • Use strong, unique passwords for your DXSignal account
  • Review and manage connected integrations and OAuth permissions regularly
  • Report any suspicious activity or unauthorized access immediately
  • Keep your team members' access permissions up to date
  • Revoke access for team members who no longer need it

Questions About Security?

We're committed to transparency about our security practices. If you have questions or concerns about security at DXSignal, please contact us:

For enterprise customers, we can provide additional security documentation including SOC 2 reports, penetration testing results, and detailed architecture diagrams upon request with appropriate NDAs in place.