Our systems are designed to safeguard your company data. We frequently audit policies and procedures to ensure compliance with ongoing controls for security frameworks.
Our infrastructure runs on AWS, the world's most secure cloud systems, in a resilient multi-region setup with daily backups. We abide by all security best practices including using tools like AWS Inspector and Guard Duty to keep our platform and infrastructure up-to-date and free from vulnerabilities.
When you run code on our platform, every step and every workflow runs in its own container. The result is workflows that are resilient to issues, with no risk of other clients or outside parties being able to access data at runtime.
We engage in penetration testing on an annualized basis by an external party to ensure that we're resilient to outside attackers.
Whenever your code or low-code runs on our platform, we log the execution of your process and collect its output. This makes it easy for you to dig in and verify exactly what occurred at a specific point in time and troubleshoot any issues with ease.
Every time a workflow is changed in our platform, that change is stored for safekeeping. You can visualize changes made over time, see who made the changes, tie them to individual logs, and even restore their contents if needed.
Avoid the black box of low-code by seeing exactly what code is being executed under the hood.
Administrators can fine-tune the level of access for every user. Organizations can group their work into projects which form the basis of separation for access. For every element in the application, users can be given the ability to create, view, edit, and delete.
Organization access can be controlled with the identity provider of your choice. By default, users are given the ability to log in through SSO for Google and GitHub, with an option provided for multi-factor authentication (MFA). Our Business and Enterprise plans get access to additional custom SAML IdP connections (Okta, Azure AD, OneLogin etc.) and enforcement of all other other account management methods.
The Shipyard API allows you to programmatically export logs and workflow metadata with ease so you can keep tabs on all of your jobs in your own systems. Plus, you can automatically build and update workflows dynamically while continuing to use your own version control tooling.
All code provided to us through either uploading the code or writing the code directly in the UI gets uploaded to S3 and is stored using AES-256 encryption. You can avoid storing your code in Shipyard by using our Github Code Sync integration.
All workflows are stored as YAML configuration files and historical versions are kept for observability purposes.
All inputs and environment variables, as part of the Blueprint and Vessel configurations, are encrypted in transit and at rest. If the input is a credential, it will only ever be displayed as (hidden), SHIPYARD_HIDDEN or XXX in the application. We take great care to ensure that these values can never be retrieved or viewed by end users.
When you run workflows on our platform, we store information related to the runs such as start time, end time, status, and retries.
Additionally, we store the standard output of every Vessel, displayed as searchable plain text in the UI and stored indefinitely as a secure, encrypted file on S3. Because your code controls what data is output, you should always verify that your scripts are not printing any secure data to the output.
All code development is performed through a documented SDLC process with changes tracked by GitHub. Automated CI/CD performs quality assurance checks to ensure application functionality remains unchanged and the application can continue handling large-scale data. Additionally, all code must be peer-reviewed and manually QAed on development environments with full approval before being deployed to production.
We use GitHub’s enterprise features for dependency and vulnerability management to ensure our platform is safe, secure, and up to date. This includes functionality like Dependabot, Code Scanning, and Secret Scanning.
Access to all Shipyard systems is managed through our identity provider, restricted to known devices, gated by a company-hosted VPN, and access is granted according to the principle of least privilege. All access to these tools is logged.
Our team enforces strict SSO policies to ensure that our accounts are centrally managed by our identity provider.
For any systems that still require username and password, 1Password is used for secure management. Passwords are required to be 20+ characters with a mix of symbols, characters, and numbers. Additionally, 2FA security is enforced for tools that allow it.
Shipyard provides continuous education around security, including information related to phishing attempts, scams, and evaluating risks of technology usage.
As a part of our ongoing efforts to maintain security compliance, we use Vanta to monitor and alert our team to potential security issues and maintain our compliance with various security frameworks.
As a part of our engagement with Vanta, we provide prospects with a public trust center to download relevant reports, verify the controls we actively monitor, and learn more about any additional security measures we put in place.