At Shipyard, we understand that your data is the lifeline of your organization. When you're dealing with mission critical pipelines, you need to be 100% sure that the partners you work with take security just as seriously as you do.
Today, we are proud to announce that we have successfully completed our SOC 2 Type 1 audit, reinforcing our dedication to the highest standards of end-to-end security, observability, and governance. This certification is a testament to our commitment to protect you and your data while you orchestrate and ship your data with confidence.
SOC 2 (System and Organization Controls) is an auditing procedure designed to ensure that service providers like Shipyard manage and secure customer data according to industry best practices.
The audit evaluated our company's adherence to the Security Trust Service Criterion. SOC 2 Type 1 compliance specifically focuses on evaluating the design and implementation of a company's controls at a specific point in time.
Our Security Measures
To achieve SOC 2 Type 1 compliance, we have implemented robust security measures throughout the application and our internal organization to ensure the confidentiality, integrity, and availability of your data. Here are some highlights of our security framework:
- Encryption in transit and at rest: We use always-on encryption for all inputs and configurations with TLS v1.2 in transit and AES-256 at rest.
- Ephemeral File Storage: We process data in ephemeral storage, purging it from our infrastructure immediately after a workflow finishes running, and only process data that you specifically designate to send through our platform.
- Obscured Credentials: We take great care in handling credentials, ensuring they are never revealed in the UI once saved. They can only be accessed and interpreted by your workflows at runtime.
- Application Security Infrastructure: Our infrastructure runs on AWS, the world's most secure cloud systems, in a resilient multi-region setup with daily backups. We employ tools like AWS Inspector and Dependabot to keep our platform and infrastructure up-to-date and free from vulnerabilities.
- Penetration Testing: We conduct annual penetration testing with an external party to verify our resilience to outside attackers.
- Observability: Shipyard provides granular logs for easy troubleshooting and verification, version control for tracking changes, and open-source templates for transparency.
- Governance: Our platform features granular access control and API management, allowing administrators to fine-tune user access and manage logs and workflow metadata programmatically.
- Software Development Lifecycle: Our team follows a documented SDLC process, with changes tracked by GitHub and quality assurance checks through automated CI/CD. All code must be peer-reviewed and manually QAed before deployment.
For a full overview of our security measures, check out our security overview page.
Sharing the Results
We strive to be 100% transparent with potential customers as a way to showcase our security. If your security team needs access to our SOC 2 report, penetration test results, architecture diagrams, internal security controls, and more, we're happy to share these documents on request under NDA.
If you're an existing Shipyard customer, contact our support team and we will be more than happy to give you any reports.
Achieving SOC 2 Type 1 compliance demonstrates our unwavering commitment to data security and protection. But it's only the beginning for us.
The hard part of security isn't creating the framework. It's ensuring that the framework is adhered to every day. That's why we plan to undergo an additional audit (known as SOC 2 Type 2) that verifies we are continuing to maintain our standards over the course of a year. We plan to assess our compliance annually to ensure that we meet these standards as well as other security standards beyond the scope of this audit.
Additionally, we plan to increase our security compliance in the application throughout the year with integrations for SSO/SAML, multi-factor authentication, and increased access controls. These additional levers will help our clients gain even more ways to keep their data and their workflows secure.
Our plan is to continuously invest in maintaining the highest standards of end-to-end security, observability, and governance, providing you with the confidence and peace of mind you need to orchestrate your data with Shipyard. If you're interested in getting started, sign up for our free developer plan or reach out to our sales team!