Communication and StorageEvery user's Shipyard is bootstrapped in a secure single tenant fully sandboxed unique kubernetes cluster on GKE (managed kubernetes from Google Cloud Platform). All User Code and Data is stored in these remote k8s clusters and never reside on Shipyard.build internal infrastructure.
There is limited communication between Shipyard.build and the user Shipyards. All data is transmitted over SSL/TLS and encrypted end to end. These communications are established by Shipyard in accordance with best practice RBAC / security policies that are continually monitored and updated. All third party Shipyard integrations communicate with Shipyard.build, there is no direct outside commuincation enabled with our user's Shipyards.
User passwords for the Shipyard.build are secured with bcrypt. User passwords are never stored in plaintext and never visible to Shipyard's staff. Addtionally user Environment Variables are treated as secrets by default and encrypted at rest and in transit to a customer Shipyard's.
Development processesThe major components of our developer infrastructure are only accessible through SSO 2FA authentication. Where available, we mandate that all Shipyard employees utilize 2FA for all third party services. All production systems run on secured, hardened and patched operating systems.
Server securityOur systems are hosted in ISO 27001, FedRAMP, SOC 1, and HIPPA compliant data centers managed by Google Cloud. The servers are controlled by Google's strict security measures, including onsite security staff, video surveillance and two-factor authentication for physical access. These measures are verified by third-party auditors.
Reporting a security concernInput and feedback on our security, as well as responsible disclosure, is always appreciated. To submit reports please email firstname.lastname@example.org. We may provide bounties for relevant issues in accordance with the terms of our bug bounty program.
Please act in good faith toward our users' privacy and data during this process. White hat researchers are always appreciated and we won't take legal action against those offering security reports in good faith.
Reports from current and potential customers of any concerns are appreciated, as well.