Data handling & privacy

What data leaves the device

Detection happens locally on the machine. File contents are never transmitted to GitGuardian's servers. The only data sent during a scan is:

• Hashed fingerprints of detected secrets (see below)
• Metadata such as file path, timestamp, and scan context

Outbound calls made during a scan include:

• Provider validity checks (e.g., AWS, GitHub): these go directly from the endpoint to the provider to verify whether a secret is valid and retrieve metadata such as scopes or owner. These calls do not go through GitGuardian's servers.
• Public leak checks via the HasMySecretLeaked (HMSL) protocol (see below).

How secrets are hashed

We never send plaintext secrets to GitGuardian. Instead, Endpoint Protection hashes secrets locally using GitGuardian's HasMySecretLeaked (HMSL) protocol.

The hashing scheme uses a 256-bit Scrypt hash, which is intentionally slow and memory-hard to make brute-forcing impractical at scale. Like any one-way hash, it is not reversible. The main residual risk is offline guessing against very weak secrets, which the slow hash design mitigates.

Scan scope and personal files

Scan scope is policy-configurable. See Configuration reference for details.

A few important points:

• Endpoint Protection is a corporate control deployed on company-issued machines via MDM.
• Only credential hashes and metadata leave the machine, not file contents.
• System directories and personal files outside the configured scope can be excluded entirely.

If you need to share data protection and privacy details with internal audiences, reach out to your GitGuardian contact to request a dedicated document.