Security

Your data is your organization's lifeline. That's why we're committed to the highest standards of end-to-end security, observability, and governance to protect you and your data. Shipyard follows industry-leading standards that help you ship your data anywhere with peace of mind.
Visit our Trust Center

Secure by Design

Always-On Encryption

All inputs and configurations are encrypted in transit with TLS v1.3 and at rest with AES-256.

Ephemeral Storage

All processed data is immediately purged from our infrastructure after a workflow finishes running, whether it was successful or not.

Full Data Control

We only process data that you specifically designate to send through our platform and we only display data that you explicitly print. You can choose to orchestrate external systems only or process data directly on our platform.

Obscured Credentials

Credentials are never revealed in the UI once they are saved. They can only be accessed and interpreted by your workflows at runtime.

Security Frameworks

Our systems are designed to safeguard your company data. We frequently audit policies and procedures to ensure compliance with ongoing controls for security frameworks.

SOC 2

Our systems are designed to safeguard your company data. We frequently audit policies and procedures to ensure compliance with ongoing SOC 2 requirements. We are SOC 2 Type I certified and are happy to share the report with you if you contact us.

GDPR

Shipyard is fully GDPR compliant. Our Data Processing Addendum enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU.

CCPA

We're committed to regulations that enhance the privacy and protection of user data. Our Data Processing Addendum keeps us in compliance with US laws for CCPA.

SOC 2

We are SOC 2 Type II certified for all five of the Trust Security Criteria (Security, Availability, Processing Integrity, Confidentiality, and Privacy) and are happy to share the report with you through our Trust Center.

HIPAA

We monitor our systems and procedures to safeguard PHI data that may be processed by our systems. These efforts can be validated through our Trust Center. We are able to enter into Business Associate Agreements (BAA) for Enterprise customers.

GDPR

We have a dedicated security team that stays on top of ongoing legal changes to ensure data privacy compliance in the EU. Details can be found in our Data Processing Addendum. Additionally, our systems are continuously monitored via Vanta.

CCPA/CPRA

We remain compliant with the ever-changing data privacy laws in the US through constant monitoring and adjustment. Details can be found in both our Privacy Policy and our Data Processing Addendum. Additionally, we monitor our internal systems using Vanta.

Application Security

Infrastructure

Cloud Hosted

Our infrastructure runs on AWS, the world's most secure cloud systems, in a resilient multi-region setup with daily backups. We abide by all security best practices including using tools like AWS Inspector and Guard Duty to keep our platform and infrastructure up-to-date and free from vulnerabilities.

Containers by Default

When you run code on our platform, every step and every workflow runs in its own container. The result is workflows that are resilient to issues, with no risk of other clients or outside parties being able to access data at runtime.

Penetration Testing

We engage in penetration testing on an annualized basis by an external party to ensure that we're resilient to outside attackers.

Observability

Granular Logs

Whenever your code or low-code runs on our platform, we log the execution of your process and collect its output. This makes it easy for you to dig in and verify exactly what occurred at a specific point in time and troubleshoot any issues with ease.

Version Control

Every time a workflow is changed in our platform, that change is stored for safekeeping. You can visualize changes made over time, see who made the changes, tie them to individual logs, and even restore their contents if needed.

Open-Source Templates

Avoid the black box of low-code by seeing exactly what code is being executed under the hood.

Governance

Granular Control (RBAC)

Administrators can use role-based access control to fine-tune the level of access for every user. Organizations can group their work into projects which form the basis of separation for access. For every accessible element in the application, roles can be created and assigned to users to give create, read, update, and delete (CRUD) access.

IdP Connections

Organization access can be controlled with the identity provider of your choice. By default, users are given the ability to log in through SSO for Google and GitHub, with an option provided for multi-factor authentication (MFA). Our Business and Enterprise plans get access to additional custom SAML IdP connections (Okta, Azure AD, OneLogin etc.) and enforcement of all other other account management methods.

API Management

The Shipyard API allows you to programmatically export logs and workflow metadata with ease so you can keep tabs on all of your jobs in your own systems. Plus, you can automatically build and update workflows dynamically while continuing to use your own version control tooling.

The Data We Store

Configuration

All code provided to us through either uploading the code or writing the code directly in the UI gets uploaded to S3 and is stored using AES-256 encryption. You can avoid storing your code in Shipyard by using our Github Code Sync integration.

All workflows are stored as YAML configuration files and historical versions are kept for observability purposes.

Credentials and Inputs

All inputs and environment variables, as part of the Blueprint and Vessel configurations, are encrypted in transit and at rest. If the input is a credential, it will only ever be displayed as (hidden), SHIPYARD_HIDDEN or XXX in the application. We take great care to ensure that these values can never be retrieved or viewed by end users.

Metadata

When you run workflows on our platform, we store information related to the runs such as start time, end time, status, and retries.

Additionally, we store the standard output of every Vessel, displayed as searchable plain text in the UI and stored indefinitely as a secure, encrypted file on S3. Because your code controls what data is output, you should always verify that your scripts are not printing any secure data to the output.

Personnel Security

Development

Development Lifecycle

All code development is performed through a documented SDLC process with changes tracked by GitHub. Automated CI/CD performs quality assurance checks to ensure application functionality remains unchanged and the application can continue handling large-scale data. Additionally, all code must be peer-reviewed and manually QAed on development environments with full approval before being deployed to production.

Code Security

We use GitHub’s enterprise features for dependency and vulnerability management to ensure our platform is safe, secure, and up to date. This includes functionality like Dependabot, Code Scanning, and Secret Scanning.

Access Controls

Access to all Shipyard systems is managed through our identity provider, restricted to known devices, gated by a company-hosted VPN, and access is granted according to the principle of least privilege. All access to these tools is logged.

Team Security

Enforced SSO

Our team enforces strict SSO policies to ensure that our accounts are centrally managed by our identity provider.

1Password + 2FA

For any systems that still require username and password, 1Password is used for secure management. Passwords are required to be 20+ characters with a mix of symbols, characters, and numbers. Additionally, 2FA security is enforced for tools that allow it.

Continuous Training

Shipyard provides continuous education around security, including information related to phishing attempts, scams, and evaluating risks of technology usage.

Team Process

Always-On Monitoring

As a part of our ongoing efforts to maintain security compliance, we use Vanta to monitor and alert our team to potential security issues and maintain our compliance with various security frameworks.

As a part of our engagement with Vanta, we provide prospects with a public trust center to download relevant reports, verify the controls we actively monitor, and learn more about any additional security measures we put in place.

Visit our Trust Center

Ready to get started?

See how quickly you can build workflows with our platform.