Security and Copyright Statement


Last revised on March 12, 2016

Bliss.AI Pty Ltd
32 Kennedy Tce
Paddington, Brisbane, Qld 4064
Australia

The Gist

We respect your copyright and ownership in your code and have setup Bliss so that it is secured in a similar way to services you are probably already using.

Security and Copyright Statement

Bliss.ai Pty Ltd (Bliss) regarding the use and provision of Bliss (blissai.com)

Security is a top concern as we are dealing with a primary asset of your company (your source code). At Bliss, we make sure our infrastructure is protected and secure so that your most valuable asset is safe and protected from unauthorized access.

System Security

Your code is never run or read by a human. It is only subject to static analysis on servers running at Digital Ocean in New York and Amazon Web Services directly and via Heroku on in the US East data centers. This is all secured behind 2 factor authentication and encryption secured access. We also limit access to these accounts to essential staff only.

Services Used and Data Stored in them

We use the following services to run Bliss:

  • Digital Ocean (security policy: https://www.digitalocean.com/security/) Amazon Web Services EC2 (security policy: https://aws.amazon.com/security/) and Heroku (security policy: https://www.heroku.com/policy/security) to run all of the components that form the Bliss service and to store your code, OAuth tokens and user data.
  • RedisToGo to store non-critical data for real-time tracking of build requests going through our system and for feature flips.

We store data related to Bliss, in anonymized form, with the following services:

  • Papertrail to store logs on all the components of Bliss to allow us investigating issues. The logs can include names of users and repositories used, but they're scrubbed of any kind of sensitive information.
  • NewRelic to track runtime metrics about the application's components.
  • Google Analytics to track visits to our website.

Our use of the above services is bound to their respective security precautions and their availability.

Copyright Statement

Bliss claims no ownership or control over any of your source code. You retain copyright and any other rights you already hold in the source code.

Credit Card Data

Bliss does not store or receive any kind of credit card data other than a reference token that allows us to create payments with our payments provider Stripe, a PCI Level 1 certified payments provider. Please refer to their security policy for more details:https://stripe.com/help/security.

How does Bliss access my GitHub or Bitbucket account?

When you sign up for Bliss, we collect an OAuth token from GitHub and Bitbucket, which allows us to request data from the GitHub and Bitbucket API on your behalf. This OAuth token is stored securely in our database and is protected from unauthorized access. We also request you authorize our FounderBliss user on Bitbucket to give read access to your code.

The oAuth token is bound to permissions set on GitHub and Bitbucket, so please make sure you've read their documentation on access control and API access permissions.

We use this token in these situations, and under no other circumstances than described below.

To synchronize the repositories you have access to. We use this information to show you the available repositories on your profile page so you can enable or disable building them on Bliss.

Under no circumstances does Bliss write or modify source code or Git metadata in your hosted git repositories, source code from your repositories is accessed read-only for the sole purpose of automatically executing the tests or any other build commands requested.

We only manually access your code when requested by you and with your consent. This is to debug and help solve support related issues you have raised.

How does Bliss access my source code?

We run a series of static analysis scripts over your code to determine value and debt calculations, the code is not run or executed in anyway, the only time our systems access your repository directly is when checking out the source code on one of our analyzer machines (or as permitted by you for support needs). Any cache or temporary storage of your source code is cleaned within a day to ensure no premanent copy is kept.

Source code is only accessed via SSH, or HTTPS.

What data do we store from GitHub?

When you push code to GitHub for a repository that is set up to run on Bliss, we get a push notification. The same is true for pull requests that are sent to us.

These notifications don't include any sensitive information other than commit references, names of files changed, and who authored and committed the changes.

We store these build notifications for debugging purposes, and for debugging purposes only.

Is there a security/bug bounty program?

We have kudos based bounty programs to encourage testing of our site. We believe bug bounty programs are a great idea and we have already seen some positive results from this process.

I have more questions about security and Bliss

Send us an email to [email protected]

To encrypt your communications with Bliss, or to verify signed messages you receive from us you can use the PGP key below.

  • Key ID: 52F3FF98
  • Key type: RSA
  • Key size: 4069
  • User ID: [email protected]
  • Fingerprint: 2A72 69CB 5C59 6BD4 0D13 BF61 581C DA62 52F3 FF98

Our PGP key:

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQINBFUB4o0BEAC2QchRApfxiLuL+VgYUsrYch/IF7fjjiNEKRaU5QQrbWBSxSEz
dJYVBHdczPnouOYz+BQ0GWFYJsgSBsCuyjGOuzuCf4zavBBr+9fzi1zN+nW5Kebc
PylN6X7wBEQlYsGSQFmo1fThE0JwjLvySlw/Pf2m/BNvGDcoW8bBz9sffkUFbH/U
k/T8kHXGC1PQc79rqsoNaBInCXvjmYFOtpc30MCnEhmJPIiDEjN/Tpe1GO/f4nDA
QabNPOExdTzaKT5TDZFkiRkPeAzo14KOoFQBorPgdvEkF/Ff+WrkhiXZSxuEx6if
CoUR+EohWrZvQd8gmvdWHnxC5Lg+mlyWKCSxy1nLQe65NOdRirYsvCTNjXuFs2H+
CakNfoJ4841XOcvFrwoD3FWsaSb0ja2ooAoWIdx5HNrFmS5IxTKsuevw91MxTClk
y3EYHllhJgRXm2h+WeWoJrtX1YwSUfKsKbBC3zN+2ZYylvsYDUC3FnPWHTWzmS88
puvhQ6jgN48K7C8YqTsL+9QhM4V1t2kw0y1nvJ7MPNEIpgSeYJ8PcFeaF1uTr6hq
qe2nivM9cpVwCQCUvZi5MLuLXXTqjw7HVIw9pNFYsjbicgkuniEFiYtMEl1E/LI6
Z+oLZ62MP3DscrtJpNnTUPhO5jKROU9bQdxY5sEnjKpzfcN4Tbd5ehLBjQARAQAB
tClGb3VuZGVyIEJsaXNzIDxzZWN1cml0eUBmb3VuZGVyYmxpc3MuY29tPokCPQQT
AQoAJwUCVQHijQIbAwUJB4YfgAULCQgHAwUVCgkICwUWAgMBAAIeAQIXgAAKCRBY
HNpiUvP/mDeXD/44QFhm8pyqrrnE0v0+P8GpE3lgkBvEt4dNYqbRklRBQEHFWOzA
iSenogSIhUFBXrHIrCBpq8Ep8i+VurNFzP/JzpA5DWmgyaZwgEhV+QzViHSL82Vw
i9GdSbenj1GUg/6CgDFQbOguLnPnFVJjhySSXvAeB5NLdk39f6NymmU5VnXgUUus
WXs1PXTzZEmDtMcNgjQXrs3xD5yBd9U6EhRpTdiiWLDSp2WUMz3/sWfpUOWaCWFt
f/3weEwoKedRTYxs4/wpPx50jPFGGZXWCOKtpcn9Alq0i1JVVcpMpybwqufXPgjX
8pDsmNTY1BjTIHtmSdOR+ufw6obiXhKLU6CwUmgb6rP61aYLM9gSx50ekzmAG+Sb
kmKIVTZ4z46JXOZM5QPOhrfyj3qRkshpyFmvM+oUxI/QWxVGj8r7BAUcpS/IJFkn
L4kZWErCUO4c+pEbRTUk5COqWqOf+ZdKK+TU9u2va7uh9uQcllVEZnmQVTE913wZ
BL8X+RtLXpE/sOjwW8WJsGBUdYq7P/T9PcXY+4nfXOJGZmPfOnTT9WCplkI0z4FR
TgiMDpte/STddV6hQHyC5p0yQkc/oRnnVifBBfELMJ9IT+WG0wkUYlLM9V9X3xfY
BFh9QGBn2TgAZWNRJm5OETej0FSC4xIZP0L1x5IbyfL/JXJsg+BRevX5iLkCDQRV
AeKNARAAqcCDK4+csU2X4ZQfRCnGiLir3R0H7ojEkz00Ib1uTXgqQmhlMDVN107j
9DFORUb4iIphP8/EFqNWOVKOhtgpd0K8KONaxHv9YWgEh3wZ+KctC4yu5h9Ga9Ow
BbPy9E+y9txhsgcYzsco0/kD96D7YGbjISkR1LA1rNYuAsUAwKelJo4Nj+UgBc6D
9UeX1FcEQ0i7sXl0I/nuUHgyRTVydCswzkOAnKo1It59wGqM7XmW+ZkeGeRBv0hF
QeOK3GdKK/04G+gX9dVDXidPMv4rUpJ6qZQprDPb9dVld2UA8k4m/mvgDvMTirW6
/JX7J0Y1aFQvXYufuBRjtLPUR9ssCt2ymJ2O+JH223PHK5uWomhNRq4U3KM5yXN2
z9S85XizKtHI8bcdx+HOnAAuR4/9sVDBy4cPUM2zDA1zkf9TXcAjE9bjF2xutG75
cVQNwlHLTic4TBradK2bf57ZoxScyvFgswdEdn6PuptDly0AH4aVsAth5HOeNwvT
05DwOekf/+1+1knsaBslICBFx0RfNAe+a6PsKPpyEO8mNkZd3UV9Bpf9pulhlBE/
ef2CFQNKhwu46lgUCAurYK072f5Bxc0VQPzVxy4XquvgFx1Vygv11WqD0CGMTgy3
eif2j/MPXybBlXLMivnOxW6XwDcVvbE2eCAdd5kdUyf2eSuC2EMAEQEAAYkCJQQY
AQoADwUCVQHijQIbDAUJB4YfgAAKCRBYHNpiUvP/mHG2D/9jWhCo8YiptZNihE9u
eUnTtO6s2smn7Xh1rnzasRHMf6eDDtpgasf9/jI5agNMIxmTMR3mR4SOXZlc76YL
rbS9zMQ0G6fcBNtmvnLYne+f63ZWkWVJ8qc+xykHwRnUE0QodKczdXeVPqLwgZTW
wTB0I4+/DR/LMHdTHunTZ6MqLb1PFgkXFPbK4Eb7xweJMZF6AGtsoNvBxX5o0i59
DJLmqTOF35KwIG1E4BObz6DR3/wNxF+EbYXkeZzSkTmQk8/p6k5BQAs9VhI78T5S
duSU/nifgCSrHtE/piuIdloeykqqR5Rdxm41N/OfXpR+KNr/r3awMc9ptEgN/2gc
RvwEU51MLBR/XSCgvyPSnvZbW4dEWzquK84ISsT3A58tzNrR0gzW29VX75Ved61v
OGF3dRZcdX8OFaVR2utT8aRnzRcmyxuDlWoMmDkW8fVkFqX6ntRFOM3C7VJslpM/
0QzhogH+Sq8AFZVtWxgBxJrxUCjDHY8Wd7bPBOjQUAZuk3wppT5MTqzqljaWSo+U
gbn6azI602AGXuxnenm3b/sXQEJEE+3QrH7KSsL/87mG55/Qal5HlFrpLPGRQMe4
E41jT5Mr5L5MKux66/N9ulJgwTVYts8hWcHk/dvbeK4qaSN5RWNQ/Ftoq51+on5N
fqMv2q1EA0B9p2As153QrUYrYA==
=38AP
-----END PGP PUBLIC KEY BLOCK-----