Security Overview — OpenCommit#

Last Updated: 2026-04-04

OpenCommit aims to protect the confidentiality, integrity, and availability of the Service and user data. This Security Overview describes the technical and organizational measures we use to secure the platform. It is provided for transparency and does not form part of the Terms of Service.

1. Infrastructure and Hosting#

  • EEA-based hosting: Core infrastructure is hosted within the European Economic Area (EEA).
  • Hosting provider: Infrastructure is hosted with Hetzner Online GmbH in Germany and Finland.
  • Data center security: We rely on Hetzner’s data center security controls and certifications (including ISO/IEC 27001 where applicable) and industry-standard physical security measures.

2. Network Security#

  • Segmentation: We segment services to limit unnecessary access between components.
  • Firewalls: Inbound access is restricted to required ports and services.
  • Administrative access: Administrative access is limited and protected using strong authentication and encrypted connections.

3. Encryption#

  • In transit: Traffic between clients (web browsers and git clients) and OpenCommit is encrypted using modern TLS.
  • At rest: We use encryption where appropriate for backups and sensitive configuration material.

4. Authentication and Account Security#

  • Passwords: Passwords are stored using strong, one-way hashing.
  • 2FA: We support and may require two-factor authentication (2FA) for accounts or organizations.
  • SSH: Git access supports SSH keys; users are encouraged to use modern key types (e.g., Ed25519).

5. Application and Dependency Security#

  • Forge software: The Service is based on Forgejo.
  • Patching: We monitor upstream security advisories and apply relevant security updates in a timely manner.
  • Hardening: We aim to minimize the attack surface by disabling or restricting non-essential services and features.

6. Monitoring and Logging#

  • Operational monitoring: We monitor service health and availability to detect incidents and outages.
  • Status monitoring: We may use third parties (e.g., Uptime Robot) for status/availability checks.
  • Security logging: We maintain logs relevant to security and abuse prevention. Access to logs is restricted.

7. Backups and Recovery#

  • Backups: We perform regular backups of repository and database data.
  • Recovery: We maintain recovery procedures to restore service after incidents.
  • User responsibility: Users remain responsible for maintaining independent backups of their repositories.

8. Incident Response#

  • Response: We investigate suspected security incidents and take appropriate steps to contain and remediate issues.
  • Notification: Where required by law or contract (for example under a DPA), we will notify affected parties of relevant incidents.

9. Vulnerability Reporting#

If you believe you have found a security vulnerability in OpenCommit, please contact:

security@opencommit.eu

Please include sufficient detail to allow us to reproduce and investigate the issue. We request responsible disclosure and ask that you do not publicly disclose vulnerabilities before we have had a reasonable opportunity to remediate them.

10. Changes#

We may update this Security Overview from time to time. Material changes will be reflected by updating the “Last Updated” date.

Edit Edit this page
OpenCommit Documentation - © 2025-2026, OpenCommit Foundation. This work is licensed under CC BY-SA 4.0

Fair web analytics Access your usage data