Your data is for you. No one else.
As CTO of a company that builds data products, I take a strong stance against anything that would put your data at risk. I have a personal, ethical drive to make the extra effort and go the full measure to ensure that we never collect more data than we need, protect all personal information, and secure everything that could be considered sensitive.
There are plenty of laws, like GDPR and CCPA, that govern how companies must safeguard your personal data. But, we can do better. We need to do better.
I believe data privacy and security start with company culture. I take great pride in building our team’s collective conscience around how we handle what is most precious to you—your data.
As a company, we designed privacy, security, and access control into every aspect of our product and software, down to the infrastructure that powers it all.
We never show your individual data to anyone else. Not your manager, director, CTO, CEO, or C-whatever—even, and perhaps especially, if they pay our invoices. There are exactly zero manager-only views hidden away that only a select few get to see.
Your data is for you. Your team's data is for the team.
Everyone on a team sees team data, which is carefully designed to avoid unintentionally exposing individual data. Team data is always aggregated or averaged and we require teams to have at least FIVE members before we show any data. This prevents anyone from identifying individual data inside team data.
All our code editor plugins are open source and viewable on GitHub. I encourage you to look through our codebase if you’re ever concerned about how our plugins work.
All sensitive data elements are hashed using a one-way algorithm, known as BLAKE2b, on the client. Anything that could be considered sensitive information (such as file names, git repos, and project names) is obfuscated before it ever reaches our servers. We encrypt the original values and store them in an entirely different data store, so we can put the name back in the UI.
When you view your data, it will look like this:
When we view your data, however, we see this:
All data processing, transformations, aggregations, and queries are done without ever being able to see your sensitive data.
While this does make some things harder for us, I believe it is worthwhile to protect your data from accidental exposure.
Here is a full list of data elements that we hash and encrypt:
Even if you decide you no longer want to use our products, we still believe that your data is for you.
We provide an easy-to-find and easy-to-use way to delete your data from our systems. When you click the “Delete Account” button, we actually delete all of your personal data. Your request doesn't go to an inbox, or a legal team, or customer support. The button is directly connected to our "Data Deleter" that scrubs all databases, third-party services, and tools that may have seen your email address or name.
Data breaches suck. No one wants their personal data exposed to the world, so we did something about it. A lot of things, actually.
We secure access to all databases with StrongDM, which provides a zero trust, credential-free way to access databases, servers, Kibana, and our Kubernetes infrastructure. We have full audit logs of access and can remove access at a moment's notice. By default, no one automatically has Admin access to any data source. If maintenance is required, we temporarily grant enhanced permissions and then automatically revoke them once complete.
We encrypt all data at rest in databases, backups, and S3. In addition, we use TLS inside and outside our internal network.
We require 2FA for all services that support it and require that passwords be rotated regularly. We also use centralized SSO to dynamically grant access.
The better we protect our infrastructure, the better we protect your data.
In a world awash with data breaches, micromanagement, and other scary things, I have endeavored to make Software.com a safe place for developers to learn from their data. I take our stewardship of your data seriously and will always prioritize its protection.
Your data is for you. No one else.