Test out the product now, pick a plan later.
Note: Please visit our Enterprise page for Enterprise Plans.
Rewind Backups for GitHub is a cloud-to-cloud backup solution for GitHub repositories.
Backups include metadata, such as issues, and come with daily snapshots up to 30 days back in time.
With Rewind Backups for GitHub you can restore repositories and metadata to GitHub, clone from Rewind servers, as well as download your data.
You can purchase a plan for up to 1200 repository backups in GitHub Marketplace. Billing is handled through GitHub. If you need more backups or want to purchase an enterprise plan, contact us directly.
Each user/organization requires a separate plan.
Rewind Backups for GitHub is built as a GitHub App.
You install Rewind Backups for GitHub on each user/organization you want to create backups for.
During the installation, you grant read access to your repositories. Every repository you grant access to is backed up.
Once the installation is complete, you login to Rewind Backups for GitHub with your GitHub user.
If you have installed Rewind Backups for GitHub for your GitHub organization, each member with the permission level “owner” can access backups.
For the initial backup, we clone the repositories and pull related metadata via the GitHub API.
Depending on the size of your repositories, and the number of repositories you granted access to (as well as API rate limits), initial backup can take up to a few hours.
The backup includes the complete git repository with all branches and commit history, as well as GitHub-related metadata associated with the repository, such as issues, milestones and so on.
To update the backup, we pull the repository and fetch new metadata. As an incremental update, the daily backup requires less time than the initial backup. We update the backups once a day. Updates are done during the night, Pacific Time.
Once the backup is complete, a snapshot of all backups is created so you can always roll back to a previous state of a backup.
We make daily snapshots and keep them for a maximum of 30 days.
Connecting an Amazon S3 bucket gives you an independent copy of all backups.
When you connect an S3 bucket, we sync all your data to the bucket on a daily basis. Having your own copy lets you further customize and process your backups, e.g., store them locally, or keep snapshots longer than 30 days. Another benefit is being able to access your data anytime, even if GitHub and Rewind were to be down.
Rewind Backups for GitHub provides several ways to recover your data.
Restore to GitHub is done via the Rewind Backups for GitHub restore app, which requires writing permissions to your GitHub account. The restore app first creates a new repository in your account. It then pushes the repository and restores the metadata via the GitHub API.
You can clone a repository directly from your backup on our servers, either from the current snapshot or from any previous snapshot available. For authentication, we use the SSH public key attached to your GitHub user.
You can download the repository and metadata backup from the Rewind Vault user interface. The repository download contains the full git repository, including all branches and commit history. Metadata comes in JSON format. Learn more about downloading backups:
There are many reasons for keeping an extra offsite backup of your repositories.
The number one cause of data loss is directly from users.
Here are a few scenarios that can lead to loss of data in a GitHub repository:
Besides user error or malfeasance, GitHub might accidentally lose your data.
With Rewind Backups for GitHub you can restore your current backup directly back to GitHub or rollback to a previous state of your repository and metadata from any of the backup snapshots up to 30 days back in time.
Many of our customers also need backups for compliance. If you are going through a SOC2 audit, for example, you need a backup of your cloud data.
These are the instructions to install Rewind with a plan from GitHub Marketplace. If you want to purchase an enterprise plan, see instructions here. Before installing you first choose a plan. You can try all our plans free for 14 days.
1. Open GitHub Marketplace
2. Click “Set up a free trial”.
3. Choose a plan with the size that suits your needs. If you need plans larger than 1200 repositories, please contact sales.
The summary of your order displays.
4. Under “Billing information” choose the account for which you want to create backups.
Note: You need a separate plan and installation for your personal account and each organization.
5. When everything is correct, click “Complete order and begin installation”.
Next you manage repository access and permissions.
1. Grant access and permissions as appropriate.
Access. Rewind creates backups for all repositories you grant access to. If you grant access to “All repositories” then backups for all current and future repositories will be automatically created. If you want to backup only select repositories, choose “Only select repositories” and enter the names of the repositories you want to backup.
Permissions. Rewind requires read access to code. For backing up the metadata and to manage access to backups, read access to administration, issues, members, metadata, pull requests, and repository projects is also required.
2. Click “Install” to install Rewind. (GitHub may ask for your password to confirm the installation)
1. Click on “Authorize backhub”.
You are redirected to backhub.co.
On backhub.co an initial dialog displays with the number of repositories you granted access to, and the account for which you have installed Rewind.
1. To start creating backups, click “Create backups”.
A list of all backups displays. Backups are marked either in grey with the status “… pending” or already “… in progress” with a yellow border. Depending on the size and number of your repositories, creating the backups can take between a couple of minutes or up to a few hours.
Once the backups are successfully created, a timestamp with a green border displays.
2. Return to this page later if you want to check the status of your backups.
The BackHub restore app must be installed before you can restore a backup.
For restoring a backup, write permission to at least one repository is necessary. The BackHub restore app is installed separately so that you can remove the app and its permissions after the restore has been completed.
The restore app automatically creates a new repository in your GitHub account with the name given in the restore dialog and restores the full repository and it’s metadata into this repository.
1. Go to the GitHub App directory and start the installation.
2. During the installation process, limit access to “Select repositories” and pick a random repository.
Random, because it’s not possible to choose none unfortunately. The restore app creates a new repository, so the selected repository here isn’t affected in any way.
1. In Rewind, search for the repository to restore
2. Click the panel to open the details
3. In the panel footer, choose the snapshot to restore from
4. Click “Restore”
5. Open your GitHub account and check the restored repository. It may take a couple of minutes up to an hour for the restore to complete, depending on the size of your repository.
Note: Do not change anything in the repository while the restore is in progress (for example, don’t create an issue or try to commit).
After the restore has been completed, you can remove the Rewind restore app and its permission. This increases the security on your account.
1. Open the app settings at GitHub .
2. Select the organization from which to remove the app.
The backup consists of the complete git repository, including all branches, plus GitHub-related metadata associated with the repository, such as issues, milestones and so on.
We include most data available via the GitHub API associated with the repository. This currently includes:
Pull requests are included in the backup, but can only be restored as issues due to limitations of the GitHub API.
Wikis are included in the backup but cannot be automatically restored due to limitations of the GitHub API. Learn how to restore a wiki here.
* Note: When you include an image or another attachment such as ZIP-Files, the file is uploaded to GitHub’s CDN and then referenced by the URL in the issue or comment. The URL for the attachment is included in the backup, but the file itself is fetched from GitHub’s CDN.
Rewind is officially SOC 2 Compliant (Type 1) as of October 2021. Rewind’s SOC 2 report (Type 1) can be shared with a Non-Disclosure Agreement (NDA) to assist with your due diligence processes.
Rewind is hosted on Amazon Web Services (AWS). AWS is a comprehensive cloud computing platform that features enterprise compute power and data storage along with a broad range of IT solutions and utilities.
Rewind data centers are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX).
Rewind’s data centers provide 24/7 manned security, video surveillance, and biometric access control, as well as multi-factor authentication locks. Here are more details about Amazon Web Services (AWS) security and privacy.
All Rewind data centers are located in Germany or the US. To minimize environmental risks, including flooding, extreme weather, and seismic activity, we select our data center locations according to optimal geographic assessments.
Rewind services are provided on fully-provisioned, redundant servers in case of failure. Redundant servers may include replica databases, multiple load balancers, and web servers. Rewind takes servers out of operation as part of our regular maintenance without any impact to availability.
Rewind creates regular encrypted backups of our data storage on Amazon Web Services (AWS). Encryption at rest and in transit is provided for all backups. In each 24 hour period, Rewind captures a full backup of customer data.
Production data loss is not a likely event, but should it ever occur, we restore all data from these backups.
We maintain backups for 30 days. After 30 days, the backups and all their data are destroyed in a secure manner.
To prevent unauthorized access, Rewind maintains comprehensive transactional logs of all monitored system actions. Logs are pushed to an dedicated logging instance to prevent manipulations.
For the list of all third party services that support Rewind, see the Data Processing Agreement (DPA) in Appendix 4.
We adhere to the same type and degree of encryption as that of financial institutions. Rewind applies the industry standards HTTPS, 256-bit SSL, and AES. All databases are encrypted at rest and in transit. For credentials, all secrets are stored in an encrypted and access-restricted database. Third parties can neither view nor access Rewind network communications.
Users must be authenticated in order to gain access to Rewind. Rewind uses different types of authentication, all designed and provided by GitHub, adhering to OAuth standards. Tokens are never stored persistently on our side, but instead are requested from GitHub on demand. User tokens are encrypted in transit and at rest, and have a very limited lifetime, after which they expire. We do not rely on user passwords, but instead on GitHub Authentication mechanisms. We never ask a customer for their user password or token.
Access to a customer’s GitHub user is limited to a given scope. Rewind requests the minimal set of required GitHub permissions. Installations of Rewind require read-only permissions, limited to those resources that are stored in the backups. Customers can revoke any of these permissions at any time in GitHub settings.
Subscriptions and payments are handled via the GitHub Marketplace. For enterprise plans and customers who have migrated from Rewind basic, payments are captured and stored securely by Stripe, a payment processing service that has been audited by a PCI-certified author.
The certification level of Stripe is PCI Service Provider Level 1, which is the most stringent standard in the payments industry. In addition, for all services, Stripe forces HTTPS using TLS (SSL), and encrypts card numbers on disk using AES-256. Decryption keys are stored on separate machines. Learn more about Stripe security and privacy.
Rewind commissions risk assessments to identify possible vulnerabilities in security or systems. We work to resolve all severe and critical issues with highest priority.
Our platform minimizes the need for downtime, including common system upgrades that could necessitate an outage. In the rare event of scheduled downtime, we notify customers by email at least 24 hours in advance.
The current status of our application is constantly monitored and publicly reported on our status page.
We request that you immediately report any and all suspected security or privacy incidents via technical, physical, or logical means to firstname.lastname@example.org for priority ticketing and resolution management.
Rewind also keeps specialists on retainer to assist in the event of any intrusion, data breach, DDoS attack, or other issues requiring additional support.
We’re compliant with the General Data Protection Regulation (GDPR). GDPR’s mission is to protect the private information of EU citizens and give them more control of their personal data. For businesses, GDPR aims to provide a more level playing field. Contact us for more details on how we comply with GDPR.
Rewind management does thorough reference checks on all applicants prior to employment. When an employee is terminated, management immediately revokes all privileges and updates all relevant credentials.
Rewind uses continuous integration and deployment (CI/CD). This means that all code changes are committed, tested, built and shipped in a predefined and automated way. This decreases the likelihood of security issues while improving the internal response time to bugs and vulnerabilities and their effective eradication.
All Rewind employees receive onboarding and training on our development and production environment, infrastructure, coding guidelines, security policies, and deployment process.
If you have found a security or privacy issue at Rewind, we ask that you follow our
Vulnerability Disclosure Policy.
We work hard to keep Rewind safe for everyone. However, it is possible that unforeseen and potentially negative things may occasionally happen. We appreciate your help in disclosing any concerns to us in a timely manner.
We take security disclosures very seriously and consider them our highest priority. Please support us in making sure we understand the scope of the issue so we can effectively address your concern.
Rewind requests customers to act in good faith towards our users’ privacy and data during any disclosure. Specifically, we ask that you do not post or share any information about a potential vulnerability in any public setting until we have researched, responded to, and addressed the reported vulnerability. Also, we respectfully ask that you do not post or share any data belonging to our users.
Thank you for using and supporting Rewind!