Sleuth Trust Center

Security is very important to us. We follow industry best practices for protecting your organization.


We encrypt your data in transit and at rest, and provide administrative controls including single sign-on (SSO) and enforced two-factor authentication (2FA) via SSO to ensure that your data remains secure organization-wide. Sleuth also provides role-based access controls (RBAC) to help administrators manage access levels.

  • SSO via Google, GitHub, Bitbucket, GitLab, Microsoft, or SAML logins
  • 2FA via SSO providers
  • Role-based access control (RBAC)
  • Continuous bug bounty program running via BugCrowd


We are SOC® 2 Type 2 compliant, certified by an independent third-party auditor. We adhere to industry best practices:

  • Enforced SSO & 2FA and recurring user-access reviews
  • Enforced review for all code changes
  • Automated end-to-end testing of gated deployments
  • Encrypted network access and data storage


We are committed to data privacy. We allow our customers to delete their data from our systems. We encrypt all sensitive data in our datastore. We use third-party bug-bounty programs for security testing.

  • Tested via third-party bug-bounty programs
  • GDPR compliant
  • Sensitive data encrypted within datastore
  • Minimal PII collection: email, name, linked accounts


Sleuth is designed for high performance and availability. We build our solution using best-in-class core technologies including AWS Fargate, RDS, Elasticsearch, and ElastiCache. Our infrastructure spans three availability zones so we're always available.

  • AWS managed services for data and backups
  • No long-lived servers, auto-security patching
  • No publicly exposed access to VPCs
  • Real-time status transparency

Integration Access Levels

Sleuth relies on third-party integrations to track deployments. These applications ask for elevated privileges including, often, write access, enabling Sleuth to add webhooks and automate deployment data collection. All access is completely revocable. Sleuth will never use it for any purpose other than supporting deployments data and collecting deployment data.

  • AppDynamicsRead metrics.
  • AWS CloudWatchRead metrics.
  • Azure DevOpsRead-only for content, work items, and identity; write for webhooks, commit status, and pipeline execution.
  • BitbucketWrite access for webhook installation and commit statuses.
  • Bitbucket PipelinesWrite access for executing pipelines.
  • BlamelessRead incidents.
  • BugsnagRead error counts.
  • BuildkiteRead-only access to organizations, pipelines, builds, and users.
  • CircleCIWrite access for executing pipelines.
  • DatadogRead metrics and publish events.
  • FireHydrantRead incidents.
  • GitHub / GitHub EnterpriseRead-only access to content, issues, teams, metadata, pull requests, and actions;write for commit status and action execution.
  • GitlabWrite access for webhook installation and commit statuses.
  • HoneybadgerRead error counts.
  • JenkinsWrite access for executing pipelines.
  • Jira Cloud / DatacenterRead issues, optionally edit and transition.
  • LaunchDarklyWrite access for webhook installation.
  • LinearRead issues.
  • New RelicRead metrics.
  • OpsgenieRead incidents.
  • PagerDutyRead incidents, optionally write.
  • RollbarWrite access for project token creation.
  • RootlyRead incidents.
  • SentryRead error counts and publish releases.
  • ServiceNowRead incidents.
  • ShortcutRead issues.
  • SlackRead-only access to content, issues, teams, metadata, pull requests, and actions;write for commit status and action execution.
  • Splunk Observability Cloud / SignalFXRead metrics.
  • StatusPageRead status updates.
  • If you discover a security vulnerability please contact us.

    Read our disclosure policy.

    Report a vulnerability ↗