// Trust & Security Report

    GitGuardian SAS logo

    GitGuardian SAS

    Secrets security and non-human identity (NHI) governance platform for developers and enterprises

    Certifications held

    2

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Since 2022, GitGuardian has successfully maintained compliance with AICPA Service Organization Control (SOC 2) Type II audit standard.

    Verify on gitguardian.com
    GDPR
    HELD

    GitGuardian shall: (a) only Process Personal Data in accordance with (i) the requirements of Data Protection Laws and Regulations. Standard Contractual Clauses (Module Two, Controller-Processor) in place for EEA transfers.

    Verify on gitguardian.com
    > Show 8 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence. Trust center and public security policy confirm only SOC 2 Type II and GDPR compliance. ISO 27001 is not claimed on any GitGuardian-owned page reviewed.

    source: trust.gitguardian.com
    HIPAA
    NOT CONFIRMED

    No public evidence. No HIPAA claims found on any GitGuardian-owned page reviewed.

    source: gitguardian.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization on any GitGuardian-owned page reviewed.

    source: gitguardian.com
    PCI DSS
    NOT CONFIRMED

    No public evidence GitGuardian holds PCI DSS certification for its own platform. GitGuardian markets that it helps customers achieve PCI DSS compliance but does not claim the cert itself.

    source: gitguardian.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR registration on any GitGuardian-owned page reviewed.

    source: trust.gitguardian.com
    ISO 27017
    NOT CONFIRMED

    No public evidence of ISO 27017 certification on any GitGuardian-owned page reviewed.

    source: trust.gitguardian.com
    ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27018 certification on any GitGuardian-owned page reviewed.

    source: trust.gitguardian.com
    ISO 42001 (AI Management)
    NOT CONFIRMED

    No public evidence of ISO 42001 certification on any GitGuardian-owned page reviewed.

    source: trust.gitguardian.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Free tier: US only. Business and Enterprise tiers: US or Europe (AWS US and AWS Germany). Enterprise self-hosted deployment removes cloud dependency entirely.

    The Master Service Agreement states Client is the sole and exclusive owner of all Client Data and GitGuardian processes it only for purposes of the agreement. No AI model training license is granted. However, GitGuardian lists OpenAI, AWS (for Generative AI technology), and Google LLC (for AI model hosting) as active subprocessors. Customer code and secrets data may pass through these third-party AI inference APIs when agentic prioritization or triage features are used. LangChain/LangSmith is also listed as a subprocessor for LLM observability, creating a fourth-party data flow. Customers in regulated industries should review https://www.gitguardian.com/legal/subprocessors and confirm subprocessor DPA coverage before enabling agentic features.

    // Security controls

    Encryption in transit

    TLS 1.2 or higher

    gitguardian.com

    Encryption at rest

    AES-256-CBC or stronger

    gitguardian.com

    Cloud hosting

    AWS (US and Germany regions); OVH for development environments

    gitguardian.com

    Penetration testing

    Annual independent penetration test; summary report published on trust center

    trust.gitguardian.com

    Vulnerability scanning

    Monthly internal and external vulnerability scans

    trust.gitguardian.com

    Bug bounty

    Private bug bounty via YesWeHack; public vulnerability disclosure policy (VDP)

    trust.gitguardian.com

    Backups

    Daily encrypted backups; 14-day retention; disaster recovery tested annually

    trust.gitguardian.com

    Log retention

    365 days with SIEM monitoring

    trust.gitguardian.com

    Incident notification

    48-hour notification commitment after discovery

    trust.gitguardian.com

    Cyber liability insurance

    $2 million USD

    gitguardian.com

    SOC 2 auditor

    Prescient Assurance (annual audits since 2022)

    gitguardian.com

    // Products & data scope

    Internal Secrets MonitoringSecrets detection and remediation

    data: Source code repositories, CI/CD pipelines, container registries, collaboration tools (Jira, Slack). Scans 550+ secret types. Customer source code processed on GitGuardian SaaS or self-hosted infrastructure.

    Agentic prioritization feature uses OpenAI, AWS Bedrock, and Google AI subprocessors for incident triage. Available as SaaS (Free/Business) or self-hosted (Enterprise only).

    Public Secrets MonitoringPublic repository secrets detection

    data: Monitors public GitHub repositories and commits for accidentally leaked secrets. Processes public metadata and commit content.

    Full suite is Enterprise-only. Free and Business tiers have limited public monitoring. US data region on lower tiers.

    NHI GovernanceNon-human identity lifecycle management

    data: Service accounts, API keys, OAuth tokens, machine identities across the software stack. Flags orphaned and over-privileged credentials.

    Unlimited honeytokens on Enterprise only. Requires integration with identity providers and vaults.

    GitGuardian CLI (ggshield)Developer endpoint and IDE secrets scanning

    data: Local developer workstations, IDE plugins, pre-commit and pre-push hooks, AI coding sessions. CLI runs client-side; findings reported to SaaS dashboard.

    Open-source CLI. Also available as MCP server for AI coding agents. Does not send full source code to cloud, only matched secret candidates.

    // What to watch

    • AI subprocessor risk: OpenAI, AWS Bedrock, and Google Vertex AI are declared subprocessors that receive customer code or secrets data for agentic prioritization and triage features. Regulated-industry buyers must verify subprocessor DPA flow before enabling these features.
    • Fourth-party AI risk: LangChain/LangSmith is a subprocessor for LLM observability, meaning AI inference traces may be captured beyond the primary AI provider. Verify data handling with GitGuardian.
    • Free tier data residency is US only; EU data residency requires Business or Enterprise plan.
    • Self-hosted deployment is Enterprise tier only; required for air-gapped or strictly on-premise environments.
    • No ISO 27001 certification publicly evidenced despite enterprise market positioning and Fortune 500 customer base. Buyers requiring ISO 27001 should request current certification evidence directly from GitGuardian.
    • HIPAA, FedRAMP, PCI DSS, CSA STAR certifications not held or not publicly evidenced. Healthcare, US federal, and payment-industry buyers must verify suitability before procurement.
    • Subprocessor list (last updated May 20, 2026) includes 20+ vendors spanning US and European regions; buyers should review full list at https://www.gitguardian.com/legal/subprocessors.

    // At a glance

    Pricing model

    Freemium. Free tier for individuals and up to 25 developers (perpetual, no credit card). Business tier custom pricing for up to 200 developers. Enterprise tier custom pricing for 200+ developers with self-hosting and advanced compliance.

    Self-hostable

    Yes

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on GitGuardian SAS's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.gitguardian.com

    > Browse all vendor trust reports