Security
At Spacelift, your security while using our services is our first and foremost priority. Here’s what we’re doing to maintain your trust by keeping Spacelift Flows secure.
Certifications
Section titled “Certifications”Spacelift is SOC2 Type II Certified.
Certification performed by an independent external auditor, who confirms the effectiveness of internal controls for Spacelift’s Security, Availability, Confidentiality, and Processing Integrity.
Security audits
Section titled “Security audits”Spacelift performs regular security audits using:
- Active Bounty Program.
- Automated security tooling.
- Internal audits by the Spacelift security team.
- External security firms for audits and penetration testing at least once per year.
Encryption
Section titled “Encryption”All of Spacelift Flow’s data is encrypted in transit and at rest. All traffic is handled using secure transport protocols with the exception of intra-VPC traffic, which is protected by restrictive AWS security groups.
All the data storage systems (Amazon S3, database) are encrypted at rest using AWS KMS keys with restricted and audited access.
Security features
Section titled “Security features”Paswordless logins
Section titled “Paswordless logins”Spacelift Flows supports passwordless authentication using magic links, eliminating the need for passwords while providing a simple and secure authentication experience and reducing the risk of password-related attacks such as credential theft, password reuse, and brute-force attacks.
Multi-Factor Authentication (MFA)
Section titled “Multi-Factor Authentication (MFA)”This feature elevates the security of your Identity Provider (IdP) sessions by integrating the use of FIDO2 security keys, managed within Spacelift Flows. MFA provides an additional layer of security for your identity. Designed for seamless integration, MFA can be enforced across all user accounts to maintain consistent security protocols. You can learn more about our MFA feature here.
Single Sign-On (SSO)
Section titled “Single Sign-On (SSO)”In addition to the default email-based login, Spacelift Flows supports Single Sign-On (SSO) via OIDC using your favorite identity provider. Using SSO, Spacelift Flows can be configured in a password-less approach, helping your company follow a zero-trust approach. As long as your Identity Provider supports OIDC, and is passing the email scope, you’re good to go! You can learn more about our Single Sign-On support here.
Environment variables
Section titled “Environment variables”Spacelift Flows allows for granular control of secrets in your Projects, by setting project-level secrets.
Private Agent Pools
Section titled “Private Agent Pools”Spacelift Flows supports the ability to host the underlying integrations that are accessing your internal services on your own infrastructure as a private agent pool.
Furthermore, the image used by Spacelift private agents is open source, giving customers full transparency into their private workers.
Spacelift Flows supports RBAC via means of Users, Teams, and per-project permission assignments. Learn more here.
Service Accounts and API Keys are available for programmatic access.
Responsible disclosure
Section titled “Responsible disclosure”If you discover a vulnerability, we would like to know about it so we can address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
I found a vulnerability
Section titled “I found a vulnerability”When you find a vulnerability in Spacelift, please:
- Email your findings to security@spacelift.io.
- Provide sufficient information to reproduce the problem so we can resolve it as quickly as possible.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading, deleting, or modifying other people’s data.
- Do not reveal the problem to others until it has been resolved.
- Do not perform attacks on physical security, social engineering, distributed denial of service, spam, or applications of third parties.
What we promise
Section titled “What we promise”- We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date.
- If you have followed the instructions above, we will not take any legal action against you in regard to the report.
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission.
- We will keep you informed of the progress towards resolving the problem.
- In the public information about the reported problem, we will give your name as the discoverer of the problem (unless you desire otherwise).
- As a token of our gratitude for your assistance, we offer a reward for every report of a security problem that was not yet known to us. The amount of the reward will be based on the severity of the leak and the quality of the report.
We strive to resolve all problems as quickly as possible, and we would like you to play an active role in the ultimate publication on the problem after it is resolved.