Cyber Security Assessment - ISO27001 / SOC-2 / Compliance and Privacy Statement

[Danielku15]

Hey @DanPristupov

I'm a happy long-term Fork User and pushed a while ago that we buy a range of licenses for our Company use across teams. Functionally we are very happy with it and there is not a single day where we are not using fork heavily.

Unfortunately our company did a security assessment and considered Fork as a security risk due to the lack of insights in compliance and processes. There is a risk of intellectual property leakage due to the lack of insight into the software itself (closed source) and no official statements around this topic.

Your website unfortunately doesn't give much insights in the origin of the software or potential compliance topics. It feels a bit abandoned and raises the concerns during such cyber security evaluations.

I am personally not very happy on that decision but we are a bit lost in argumentation without your help.

In the interest of us staying with Fork, and maybe to broaden your customer base there would be a need for an official compliance and privacy statement.

• Do you have an ISO-27001 or SOC-2 Compliance certification which could establish a certain level of trust between companies and Fork?
• Can you publish and provide more official Compliance and Privacy statements around Fork?
• Can you provide more official documents and statements about the country of origin and legal oblications with the developments done on Fork which could establish further trust?

Looking forward to hear your opinion on that topic.

Best Regards Daniel

[DanPristupov]

Do you have an ISO-27001 or SOC-2 Compliance certification which could establish a certain level of trust between companies and Fork?

No, we don't have.

Can you publish and provide more official Compliance and Privacy statements around Fork?

What is privacy statement? What exactly do you expect us to publish?

Can you provide more official documents and statements about the country of origin and legal oblications with the developments done on Fork which could establish further trust?

https://fork.dev/license states that we are from Czech Republic and license is governed by the laws of Czech Republic.

P.S. Fork is just a wrapper around git. Does git have ISO-27001 compliance certification? I couldn't find it. P.P.S. A slighly related issue in the Mac issue tracker: https://github.com/fork-dev/Tracker/issues/2046

[DanPristupov]

I just checked.

ISO 27001 certification provides an independent attestation of a set of documented practices and procedures that cover a wide range of customer data protection aspects

Fork doesn't gather any customer data. It's a purely local application. We don't have telemetry and we don't even have Google Analytics on the website. There is no data to protect on our side.

[Danielku15]

Thanks for your fast reply. We're also not fully sure (yet) what level of confirmation is enough for our lawyers and compliance departments to be satisfied and approve Git Fork. at this time we try to gather as much information and statements possible to approache them with some foundation to discuss and negotiate.

I think the "luxury version" of what they want to see is something like this:

• https://www.gitkraken.com/privacy
• https://www.gitkraken.com/privacy-gij

I think the "license agreement" is already a good step forward in terms of "legal situation".

P.S. thanks a lot again for your effort and the software you are providing. I will keep you in the loop how things are evolving on our side and hopefully this discussion and information we will discuss here will also become a good reference for other companies to go through this process (hoping we manage to get green light there)-