Application Security

Encryption standards and practices

We adhere to the same type and degree of encryption as that of financial institutions. Rewind applies the industry standards HTTPS, 256-bit SSL, and AES. All databases are encrypted at rest and in transit. For credentials, all secrets are stored in an encrypted and access-restricted database. Third parties can neither view nor access Rewind network communications.


Users must be authenticated in order to gain access to Rewind Backups for GitHub (BackHub). Rewind uses different types of authentication, all designed and provided by GitHub, adhering to OAuth standards. Tokens are never stored persistently on our side, but instead are requested from GitHub on demand. 

User tokens are encrypted in transit and at rest, and have a very limited lifetime, after which they expire. We do not rely on user passwords, but instead on GitHub Authentication mechanisms. We never ask a customer for their user password or token.

User and application permissions

Access to a customer’s GitHub user is limited to a given scope. Rewind requests the minimal set of required GitHub permissions. Installations of Rewind require read-only permissions, limited to those resources that are stored in the backups. Customers can revoke any of these permissions at any time in GitHub settings.

Payment security

Subscriptions and payments are handled via the GitHub Marketplace. For enterprise plans and customers who have migrated from Rewind basic, payments are captured and stored securely by Stripe, a payment processing service that has been audited by a PCI-certified author.

The certification level of Stripe is PCI Service Provider Level 1, which is the most stringent standard in the payments industry. In addition, for all services, Stripe forces HTTPS using TLS (SSL), and encrypts card numbers on disk using AES-256. Decryption keys are stored on separate machines. Learn more about Stripe security and privacy.