This Security Policy outlines the measures we take to protect you and your stakeholders when you use webapp.io (the “Website”).
webapp.io helps you pass security audits
webapp.io's core goal is to give our users a systematic way to evaluate the quality of their code. To pass security audits (such as SOC 2 Type II), you can use webapp.io as a core system to ensure systems and performance are consistent.
By leveraging our industry-leading caching system, you can populate a database with an anonymized dump of production data in seconds at the beginning of your webapp.io builds. This allows you to ensure that proposed changes will maintain data integrity and pass any necessary security gates.
The data we store
Personally Identifiable Information
We store certain Personally Identifiable Information when you register for webapp.io. This information consists of:
- Your full name
- Your phone number (for billing purposes)
- Authorizations to perform actions on your behalf on our integration partners (e.g., GitHub and Slack)
- Your Emails (which we use for support & marketing, in an opt-out manner)
- A link to your avatar (hosted on a third party site)
- Metadata such as the pages you visit and the actions you perform on the Website
We do not store any passwords or password hashes. Authentication is done entirely through third party providers when you log in.
We do not store any payment card information. Our payments are processed by Stripe, a PCI-compliant payment processor.
From the point that you install webapp.io to the point that you uninstall it, we may store a locally cached copy of any repositories for which you request we start CI runs for.
This local copy is only accessible by authorized employees of webapp.io, and our hosting provider.
webapp.io allows you to store secret values in a special section of the run dashboard and expose them with the
SECRET ENV directive.
These secrets are encrypted at rest with military-grade AES256. They are only accessible by administrators of your webapp.io account and authorized employees of webapp.io.
Staging servers exposed through
EXPOSE WEBSITE have no authentication mechanism built-in,
besides the unguessable URL link. It's your prerogative to ensure that no sensitive data is
exposed inadvertently by posting a link to the staging server, or creating a route to the staging server.
To maximize safety, we recommend not putting any sensitive information on any server exposed by
Staging servers which are not exposed by any webapp.io directive are not accessible except for by agents which you authorize to access your repository. We ask your SCM provider (e.g., GitHub, BitBucket) whether a specified user has access to a repository to determine if they should have access to a staging server.
Only authorized employees of webapp.io are given access to our production servers. These employees are senior engineering leaders and executives of webapp.io, which have been thoroughly vetted.