Architecture

Security Architecture

Dits implements a comprehensive security framework designed for handling sensitive creative assets with end-to-end encryption, access controls, and compliance features.

Security First Design

Security is built into every layer of Dits, from the wire protocol to data storage, ensuring your creative assets remain protected.

Security Principles

Defense in Depth

Multiple security layers
No single point of failure
Secure defaults
Principle of least privilege

Zero Trust Architecture

Verify all access requests
End-to-end encryption
Continuous authentication
Micro-segmentation

Encryption Layers

Transport Layer Security (TLS 1.3)

All network communications are encrypted

Features

Perfect forward secrecy
Certificate pinning support
Mutual TLS for service-to-service
HSTS headers

Protocols

HTTPS for web traffic
QUIC for chunk transfers
SSH for Git operations
mTLS for internal services

Content Encryption (Phase 9)

End-to-end encryption for stored data

At Rest

AES-256-GCM encryption
Convergent encryption for deduplication
Key wrapping with user keys
Hardware security modules (HSM)

In Transit

TLS 1.3 with PFS
QUIC with built-in encryption
Forward secrecy
Certificate validation

Key Management

Secure key lifecycle and storage

Key Types

Key Type	Purpose	Storage	Rotation
Master Keys	Encrypt data encryption keys	HSM/KMS	Annual
Data Keys	Encrypt chunk data	Database (encrypted)	Per upload
User Keys	User authentication	Derived from password	On password change

Convergent Encryption

Dits uses convergent encryption for chunks, allowing deduplication while maintaining security. The same data always produces the same ciphertext, enabling efficient storage without compromising confidentiality.

Access Control

Authentication

JWT Tokens:

Stateless authentication with expiration

API Keys:

Scoped tokens for programmatic access

SSH Keys:

Git-compatible authentication

SAML/OAuth:

Enterprise SSO integration

Authorization

Role-Based Access Control (RBAC):

Owner, Admin, Member, Guest roles
Repository-level permissions
Fine-grained access control

Object-Level Permissions:

File and directory access
Branch protection rules
Lock management

Data Integrity & Verification

Content Verification

BLAKE3 hash verification
Manifest integrity checks
Chunk validation on read
Corruption detection

Audit Logging

All API operations logged
File access tracking
Authentication events
Compliance reporting

Backup Security

Encrypted backups
Secure key storage
Integrity verification
Point-in-time recovery

Network Security

Firewall & Network Controls

Perimeter Security

Web Application Firewall (WAF): SQL injection, XSS prevention
DDoS Protection: Rate limiting, traffic filtering
SSL/TLS Termination: Certificate management, HSTS
API Gateway: Request validation, throttling

Internal Security

Service Mesh: mTLS between services
Network Segmentation: Zero trust networking
Container Security: Image scanning, runtime protection
Secrets Management: Encrypted secret storage

Compliance & Standards

Industry Standards

SOC 2 Security, availability, and confidentiality
ISO 27001 Information security management
GDPR Data protection and privacy
CCPA California privacy rights

Creative Industry Compliance

MPAA Content security standards
SMPTE Media technology standards
C2PA Content provenance and authenticity
DDEX Music industry standards

Security Monitoring

Real-time Monitoring

Access Monitoring

Authentication failures
Unauthorized access attempts
Suspicious activity patterns
Geographic access anomalies

Data Protection

Encryption key access
Data exfiltration attempts
Backup integrity
Storage access patterns

System Security

Network intrusion attempts
Malware detection
Configuration changes
Performance anomalies

Incident Response

Response Plan

Detection: Automated monitoring and alerting
Assessment: Security team evaluation within 15 minutes
Containment: Isolate affected systems
Recovery: Restore from secure backups
Lessons Learned: Post-incident review and improvements

24/7 Security Operations

Enterprise deployments include dedicated security operations center (SOC) with 24/7 monitoring and incident response capabilities.

Privacy & Data Protection

Data Minimization & Privacy

Data Collection

Minimal Data: Only collect necessary user information
Purpose Limitation: Data used only for stated purposes
Retention Limits: Data deleted when no longer needed
Consent Management: Clear user consent for data processing

User Rights

Access: Users can view their data
Portability: Export data in standard formats
Correction: Update inaccurate information
Deletion: Right to be forgotten

Telemetry & Usage Analytics

Privacy-First Telemetry

Dits includes optional, privacy-focused telemetry to help us improve the product. Unlike Git which has no telemetry, Dits collects anonymized usage data when enabled.

What We Collect

Usage Statistics

Command usage frequency (e.g., "add", "commit", "push")
Performance metrics (operation duration, file sizes)
Error occurrences (anonymized error types)
Platform information (OS, architecture)

Anonymized Data Only

No file names, paths, or content
No user identifiers or personal data
No repository contents or metadata
Randomly generated session IDs

Privacy Guarantees

Data Protection

Opt-in only: Disabled by default
Local storage: Data stored locally until uploaded
Encrypted transmission: HTTPS/TLS 1.3
Data minimization: Only essential metrics

User Control

Easy disable: dits telemetry off
Status check: dits telemetry status
Manual upload control
Clear data retention policies

Telemetry vs Git

Understanding how Dits telemetry differs from Git's approach

Aspect	Git	Dits	Reason
Telemetry	None	Optional	Git is purely local. Dits includes server features that benefit from usage insights.
Architecture	Distributed, offline-first	Hybrid (local + optional cloud)	Ditshub provides hosted collaboration features that Git doesn't offer.
Data Collection	Zero data collection	Anonymized usage statistics	Helps improve Ditshub services and user experience.
Privacy Controls	N/A (no data collected)	Opt-in, easy disable	Users have full control over data sharing preferences.

Telemetry Commands

Control telemetry settings from the command line

Enable Telemetry

dits telemetry enable

Opt into telemetry and help improve Dits

Disable Telemetry

dits telemetry disable

Turn off all telemetry collection

Check Status

dits telemetry status

View current telemetry settings and last upload

Transparency Commitment

We believe in transparency about data practices. Telemetry helps us build better tools for creative professionals while respecting user privacy. You can always disable it, and we only collect the minimum data needed to improve Dits.

Security Best Practices

For Organizations

Implement least privilege access

Regular security audits and penetration testing

Employee security training

Secure development lifecycle (SDL)

Regular backup and disaster recovery testing

For Individual Users

Use strong, unique passwords

Enable two-factor authentication

Regularly review access permissions

Keep software and systems updated

Use encrypted connections (HTTPS)

Security is Everyone's Responsibility

While Dits provides robust security features, maintaining security requires cooperation between the platform, organizations, and users. Security is not a product, but a process.

Security Resources

Documentation

Compliance

GDPR Compliance Guide
SOC 2 Report
Security Whitepaper
Penetration Test Reports

Support

Security Advisories
Bug Bounty Program
Security Contact
Incident Response

Security concerns or questions? Contact our security team at security@dits.io