Shipyard was founded on the principle that "Your Data is Your Business". As a result, we're not in the business of storing any of the underlying data that you're working with on a day to day basis.
As a facilitator of your workflow automation, we recognize that you may be handling sensitive information. While your automated processes may download and manipulate sensitive datasets, each process is run independently, in its own container, on our platform. Once a job finishes running, we automatically spin down all associated resources.
In other words, we make sure the pipes are working effectively, but we'll never store any of the data that you may be working with.
General Application Security
Our application has been built with security in mind at every step.
- All infrastructure is built on AWS, enabling us to have the highest level of cloud security.
- User passwords are stored using the industry leading Blowfish-based Bcrypt algorithm with extremely strong salts.
- All data stored and processed in our databases is encrypted while in transit and at rest using RSAES-OAEP-SHA-256 algorithms with AES-256-GCM.
- All Blueprint and Vessel specific configurations are encrypted at the application level with RSA-4096 bit key types.
- All network traffic to and from our application supports encryption with TLS v1.3 - the latest and most secure version.
There are only three forms of your proprietary data that Shipyard actively handles and stores:
- Your code, which is required to build and run a solution.
- Your credentials, which are required to read and write from external data storage systems and APIs.
- Your output, which is controlled explicitly by your code.
All other data stored by Shipyard is meta-data generated by our platform or frontend usage analytics data generated by 3rd parties.
All code provided to us through either uploading the code or writing the code directly in the UI gets uploaded to S3 and is stored using AES-256 encryption. You can avoid storing your code in Shipyard by using our Github Code Sync integration.
All credentials, as part of the Blueprint and Vessel configurations, are encrypted in transit, by the application using AES-256-GCM, and at rest.
All of your code's output is shown as searchable plain text in the UI and stored indefinitely as a secure, encrypted file on S3. Because your code controls what data is output, you should verify that your script is not printing any secure data to the output. We additionally take measures to ensure that Environment Variables and Password Blueprint Variables are never printed to the output.
There is currently no way to delete a Log and its output from the UI. In the event that you accidentally sent information to the output that should not have been shared publicly, you can reach out to email@example.com to get this data removed.
Storing Data Externally
When using Shipyard, a majority of the data you interact with will come from external services, since Shipyard does not store any of your data. We recommend using the following vendors for a high level of security.
When you need to store large data files, we recommend using Amazon S3, Google Cloud Storage, or Azure Blob Storage.
If you need to store files that business users frequently interact with, we recommend the use of Google Drive, Dropbox, or Box.
If you need to manage large datasets, we recommend using a cloud-optimized database such as Google Bigquery, Snowflake, or Redshift. These modern databases offer the level of scalability necessary to handle large scale automated processes via Shipyard.
All of the services we've recommended have ready-to-use templates built out as part of our Blueprint Library. You can easily and securely transfer data between these services by providing your credentials.
Shipyard's Internal Security Practices
Data security doesn't just end with our application. In the spirit of transparency, we also want you to know what our internal company policies are for accessing and handling sensitive data.
- All access to any of our servers is required to be routed through our Corporate VPN that uses AES-256-CBC encryption.
- Unique IAM roles and permissions are distributed for each tier of our application infrastructure components, preventing one system from having access to others.
- We require individual employee logins for every third-party service or platform that we use as a company. There are no shared accounts in the organization so we can effectively audit and log activity.
- We require all passwords to be at least 12 characters long, randomly generated with a mix of numbers, letters, capitalization, and symbols.
- We perform quarterly technical security training with all employees to increase awareness of phishing attempts, social engineering, and best practices for keeping your credentials safe and secure.
- We encourage our employees to use 1Password, LastPass or similar password managers for their personal lives.
- When available we mandate the use of 2FA for all third-party services, software and platforms used by all of our employees.
- All Shipyard work performed by all of our employees occurs only on managed company-owned devices.
Want to Learn More?
We want to make sure that you feel confident in our ability to keep your information safe. If you have questions about any of our security practices, please reach out to firstname.lastname@example.org.