We strive to ensure our service and software are secure.

Access 

Our production cluster is only accessible to our on-call team and on an as needed basis for debugging. Production data is never replicated to non-production systems.

Authentication 

All development and production resources require Multi-Factor Authentication (MFA).

Transport 

All systems utilize either Transport Layer Security (TLS), version 1.2 or greater, or Secure Shell (SSH) using industry standard encryption algorithms.

Storage 

All storage is encrypted at rest using AES-256 encryption.

Backup 

The only customer supplied data included in backups is the configuration repository. Data removed by the customer will propagate through backups. See our Privacy Policy for details on requesting a purge from backups.

Payment 

All payment information is entered on Stripe's site directly. Only the transaction amount and reference ID is tracked in our system. See Stripe's policies on security and privacy for more details.

Runner 

Security measures vary between our enhanced and basic runners, but both ensure customer data and CI jobs are isolated.

Patch 

Our engineering team monitors various security feeds and static analysis tools for security vulnerabilities and applies patches as needed.

Monitoring 

System health and performance metrics are collected for both automated and manual analysis.

Logging 

Any logs containing customer data are ephemeral and maintained within the production cluster.

Testing 

Penetration testing is conducted no less than annually. Reports are available upon request.

Corporate 

Credential 

Shared credentials are secured using a password manager.

Device 

All employee devices are secured using a complex password and AES-256 encryption.

Employee 

Background 

Background checks are required before joining.

Termination 

All production and development access can be revoked remotely.