Our infrastructure runs on AWS, the world's most secure cloud systems, in a resilient multi-region setup with daily backups. We abide by all security best practices including using tools like AWS Inspector and Dependabot to keep our platform and infrastructure up-to-date and free from vulnerabilities.
When you run code on our platform, every step and every workflow runs in its own container. The result is workflows that are resilient to issues, with no risk of other clients or outside parties being able to access data at runtime.
We engage in penetration testing on an annualized basis via an external party to ensure that we're resilient to outside attackers.
Whenever your code or low-code runs on our platform, we log the process. This makes it easy for you to dig in and verify exactly what occured at a specific point in time and troubleshoot any issues with ease.
Every time a workflow is changed in our platform, that change is logged for safekeeping. You can visualize changes made over time, see who made the changes, tie them to individual logs, and even restore their contents if needed.
Avoid the black box of low-code by seeing exactly what code is being executed under the hood.
Administrators can fine-tune the level of access for every user. Organizations can group their work into projects which form the basis of separation for access. For every element in the application, users can be given the ability to create, view, edit, and delete.
The Shipyard API allows you to programmatically export logs and workflow metadata with ease so you can keep tabs on all of your jobs in your own systems. Plus, you can automatically build and update workflows dynamically while continuing to use your own version control and code management tooling.
All code provided to us through either uploading the code or writing the code directly in the UI gets uploaded to S3 and is stored using AES-256 encryption. You can avoid storing your code in Shipyard by using our Github Code Sync integration.
All workflows are stored as YAML configuration files and historical versions are kept for observability purposes.
All inputs and environment variables, as part of the Blueprint and Vessel configurations, are encrypted in transit and at rest. If the input is a credential, it will only ever be displayed as (hidden), SHIPYARD_HIDDEN or XXX in the application. We take great care to ensure that these values can never be retrieved or viewed by end users.
When you run workflows on our platform, we store information related to the runs such as start time, end time, status, and retries.
Additionally, we store the standard output of every Vessel, displayed as searchable plain text in the UI and stored indefinitely as a secure, encrypted file on S3. Because your code controls what data is output, you should always verify that your scripts are not printing any secure data to the output.
All code development is performed through a documented SDLC process with changes tracked by GitHub. Automated CI/CD performs quality assurance checks to ensure application functionality remains unchanged and the application can continue handling large-scale data. Additionally, all code must be peer-reviewed and manually QAed on development environments with full approval before being deployed to production.
Access to all Shipyard systems is managed through our identity provider, restricted to known devices, gated by a company-hosted VPN, and access is granted according to the principle of least privilege. All access to these tools is logged.
Our team enforces strict SSO policies to ensure that our accounts are centrally managed by our identity access manager.
For any systems that still require username and password, 1Password is used for secure management. Passwords are required to be 20+ characters with a mix of symbols, characters, and numbers. Additionally, 2FA security is enforced for tools that allow it.
Shipyard provides continuous education around security, including information related to phishing attempts, scams, and evaluating risks of technology usage.
