Security and Privacy

Our products are trusted by thousands of organizations. We place security as a core requirement during product development and maintain regular internal and external security assessments. Customers may request all relevant security documents from us as they evaluate our products.

General Data Protection Regulation (GDPR) - European Representative

Pursuant to Article 27 of the General Data Protection Regulation (GDPR), Iterative, Inc, has appointed European Data Protection Office (EDPO) as its GDPR Representative in the EU. You can contact EDPO regarding matters pertaining to the GDPR:

Data security and privacy

Iterative products collect and use only necessary data to function properly. We retain customer data for as long as an account is active, as needed to provide services to customers, or in accordance with the agreement(s) between Iterative and the customer, unless Iterative is required by law to dispose of it earlier or keep it longer. Iterative does not use any personal information collected in the course of doing business for commercial purposes. Please read our full privacy policy at https://dvc.org/doc/user-guide/privacy.

Open-source

Most of our MLOps solutions are open source and thereby subject to public review. Security related to our open source tools would be managed by the user as our tools are downloaded locally. Users manage their own credentials and security policies across resources like clouds, storage, and Git service. There are logging functionality that send anonymized usage data back to Iterative. Users may opt out of this logging. We'll promptly address any security issues that are brought up by the community. Please let us know at GitHub.

Compliance

Iterative is SOC 2 Type 2 complaint! See the reports for our compliance milestones.

SOC 2 logo

You can also read the key learnings from our compliance experience.

Security as a Company Value: a letter to our customers

Studio permissions and security

As part of our GitOps philosophy, Studio only takes as much information as necessary from your Git service to display experiments, data sets used, metrics, and hyper parameters. Studio only has access to repositories that customer Git services allow. By default, Studio does not access any of the actual data used across your models. Your data remains protected by your cloud credentials (e.g., AWS login, etc.). You may allow Studio access to storage for additional information to be displayed by Studio, but this is optional. Access controls to repositories may be granularly managed directly through a customer's respective Git service (GitHub app, GitLab admin settings, etc.).

Bug Bounty Program

To maintain and improve the security of our systems and tools, we are happy to work together with the security community. We believe in a responsible collaborative model around vulnerability testing and reporting that will protect and benefit our customers and users. Please read our full Bug Bounty Program.