Security

Your data is your organization's lifeline. That's why we're committed to the highest standards of end-to-end security, observability, and governance to protect you and your data. Shipyard follows industry-leading standards that help you ship your data anywhere with peace of mind.

Secure by Design

Always-On Encryption

All inputs and configurations are encrypted in transit with TLS v1.2 and at rest with AES-256.

Ephemeral Storage

All processed data is immediately purged from our infrastructure  after a workflow finishes running, whether it was successful or not.

Full Data Control

We only process data that you specifically designate to send through our platform and we only display data that you explicitly print. You can choose to orchestrate external systems only or process data directly on our platform.

Obscured Credentials

Credentials are never revealed in the UI once they are saved. They can only be accessed and interpreted by your workflows at runtime.

Security Frameworks

SOC 2

Our systems are designed to safeguard your company data. We frequently audit policies and procedures to ensure compliance with ongoing SOC 2 requirements. We are SOC 2 Type I certified and are happy to share the report with you if you contact us.

GDPR

Shipyard is fully GDPR compliant. Our Data Processing Addendum enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU.

CCPA

We're committed to regulations that enhance the privacy and protection of user data. Our Data Processing Addendum keeps us in compliance with US laws for CCPA.

SOC 2

Our systems are designed to safeguard your company data. We frequently audit policies and procedures to ensure compliance with ongoing SOC 2 requirements. We are SOC 2 Type I certified and are happy to share the report with you if you contact us.

Application Security

Infrastructure

Cloud Hosted

Our infrastructure runs on AWS, the world's most secure cloud systems, in a resilient multi-region setup with daily backups. We abide by all security best practices including using tools like AWS Inspector and Dependabot to keep our platform and infrastructure up-to-date and free from vulnerabilities.

Containers by Default

When you run code on our platform, every step and every workflow runs in its own container. The result is workflows that are resilient to issues, with no risk of other clients or outside parties being able to access data at runtime.

Penetration Testing

We engage in penetration testing on an annualized basis via an external party to ensure that we're resilient to outside attackers.

Observability

Granular Logs

Whenever your code or low-code runs on our platform, we log the process. This makes it easy for you to dig in and verify exactly what occured at a specific point in time and troubleshoot any issues with ease.

Version Control

Every time a workflow is changed in our platform, that change is logged for safekeeping. You can visualize changes made over time, see who made the changes, tie them to individual logs, and even restore their contents if needed.

Open-Source Templates

Avoid the black box of low-code by seeing exactly what code is being executed under the hood.

Governance

Granular Access Control

Administrators can fine-tune the level of access for every user. Organizations can group their work into projects which form the basis of separation for access. For every element in the application, users can be given the ability to create, view, edit, and delete.

API Management

The Shipyard API allows you to programmatically export logs and workflow metadata with ease so you can keep tabs on all of your jobs in your own systems. Plus, you can automatically build and update workflows dynamically while continuing to use your own version control and code management tooling.

The Data We Store

Configuration

All code provided to us through either uploading the code or writing the code directly in the UI gets uploaded to S3 and is stored using AES-256 encryption. You can avoid storing your code in Shipyard by using our Github Code Sync integration.

All workflows are stored as YAML configuration files and historical versions are kept for observability purposes.

Credentials & Inputs

All inputs and environment variables, as part of the Blueprint and Vessel configurations, are encrypted in transit and at rest. If the input is a credential, it will only ever be displayed as (hidden), SHIPYARD_HIDDEN or XXX in the application. We take great care to ensure that these values can never be retrieved or viewed by end users.

Metadata

When you run workflows on our platform, we store information related to the runs such as start time, end time, status, and retries.

Additionally, we store the standard output of every Vessel, displayed as searchable plain text in the UI and stored indefinitely as a secure, encrypted file on S3. Because your code controls what data is output, you should always verify that your scripts are not printing any secure data to the output.

Personnel Security

Development

Development Lifecycle

All code development is performed through a documented SDLC process with changes tracked by GitHub. Automated CI/CD performs quality assurance checks to ensure application functionality remains unchanged and the application can continue handling large-scale data. Additionally, all code must be peer-reviewed and manually QAed on development environments with full approval before being deployed to production.

Access Controls

Access to all Shipyard systems is managed through our identity provider, restricted to known devices, gated by a company-hosted VPN, and access is granted according to the principle of least privilege. All access to these tools is logged.

Team Security

Enforced SSO

Our team enforces strict SSO policies to ensure that our accounts are centrally managed by our identity access manager.

1Password + 2FA

For any systems that still require username and password, 1Password is used for secure management. Passwords are required to be 20+ characters with a mix of symbols, characters, and numbers. Additionally, 2FA security is enforced for tools that allow it.

Continuous Training

Shipyard provides continuous education around security, including information related to phishing attempts, scams, and evaluating risks of technology usage.

Ready to get started?

See how quickly you can build workflows with our free Developer Plan.