Shipyard was founded on the principle that "Your Data is Your Business". As a result, we're not in the business of storing any of underlying data that you're working with on a day to day basis. As a facilitator of your workflow automation, we recognize that you may be handling sensitive information. While your automated processes may download and manipulate sensitive datasets, each process is run independently, in it's own container, without context awareness in our platform. Once a job finishes running, we automatically spin down all associated resources. In other words, we make sure the pipes are working effectively, but we'll never store any of the data that you may be working with.
Our application has been built with security in mind at every step.
All infrastructure is built on AWS, enabling us to have the highest level of cloud security.
User passwords are hashed using Bcrypt with strong salts.
All data stored in our databases is encrypted at rest.
All Blueprint and Vessel specific configurations are additionally encrypted at the application level.
All external network traffic from the application is encrypted with TLS.
There are only three forms of your proprietary data that Shipyard actively handles and stores:
Your code, which is required to build and run a solution.
Your credentials, which are required to read and write from external data storage systems and APIs.
Your output, which is controlled explicitly by your code.
All other data stored by Shipyard is meta-data generated by our platform or frontend usage analytics data generated by 3rd parties.
All code provided to us through either uploading the code or writing the code directly in the UI gets uploaded directly to S3. If code for a specific Vessel is ever updated, the old version of the code gets routinely wiped every 7 days.
All credentials provided to the application as Environment Variables are both encrypted at rest and at the application level.
Output All of your code's output is shown as searchable plain text in the UI and stored indefinitely as a file on S3. Because your code controls what data is output, you should verify that your script is not printing any secure data to the output. We additionally take measures to ensure that Environment Variables and Password Blueprint Variables are never printed to the output. There is currently no way to delete a Log and it's output from the UI. In the event that you accidentally sent information to the output that should not have been shared publicly, reach out to email@example.com to get this data removed.
When it comes to storing large data files, we recommend using Amazon S3, Google Cloud Storage, or Azure Blob Storage.
For more user-friendly file storage systems, we recommend the use of Google Drive, Dropbox, or Box.
When it comes to storing and organizing large datasets, we recommend using a cloud-optimized database such as Google Bigquery, Snowflake, or Redshift. These modern databases offer the level of scalability necessary to handle large scale automated processes via Shipyard.
Data security doesn't just end with our application. In the spirit of transparency, we also want you to know what our internal company policies are for accessing and handling sensitive data.
All SSH Internet Access to our application servers is required to be routed through our Company VPN which has a dedicated IP address.
New IAM roles are distributed for each use case and each service, preventing one user from having access to multiple parts of our internal system.
We require individual logins for every service that we use as a company. There are no shared accounts in the organization so we can effectively audit and log activity.
We require all passwords to be at least 12 characters long, randomly generated with with a mix of numbers, letters, capitalization, and symbols.
We run through security training with all new employees to increase awareness of phishing attempts, social engineering, and best practices for keeping your credentials safe and secure.
We encourage our employees to use 1Password or similar password managers for their personal lives.
We require the use of 2FA for all software used by our team members, when it's offered.
All company work can only be performed on restricted, known company devices. We prevent the access of accounts outside of these approved devices.
If you have questions about any of our security practices, please reach out to firstname.lastname@example.org. We want to make sure that you feel confident in our ability to keep your information safe.