webapp.io Security Policy

Last updated: October 10, 2023

This Security Policy outlines the measures we take to protect you and your stakeholders when you use webapp.io the “Website”.

webapp.io helps you pass security audits

webapp.io's core goal is to give our users a systematic way to evaluate the quality of their code. To pass security audits (such as SOC 2 Type II), you can use webapp.io as a core system to ensure systems and performance are consistent.

By leveraging our industry-leading caching system, you can populate a database with an anonymized dump of production data in seconds at the beginning of your webapp.io builds. This allows you to ensure that proposed changes will maintain data integrity and pass any necessary security gates.

webapp.io lets you integrate with any software that you want, so it's easy to integrate us with industry-leading security scanners such asSnyk, Vectrix, and SonarQube

The data we store

Personally Identifiable Information

We store certain Personally Identifiable Information when you register for webapp.io. This information consists of:

  1. - Your full name
  2. - Your phone number (for billing purposes)
  3. - Authorizations to perform actions on your behalf on our integration partners (e.g., GitHub and Slack)
  4. - Your Emails (which we use for support & marketing, in an opt-out manner)
  5. - A link to your avatar (hosted on a third party site)
  6. - Metadata such as the pages you visit and the actions you perform on the Website

We do not store any passwords or password hashes. Authentication is done entirely through third party providers when you log in.
We do not store any payment card information. Our payments are processed by Stripe, a PCI-compliant payment processor.

Source code

From the point that you install webapp.io to the point that you uninstall it, we may store a locally cached copy of any repositories for which you request we start CI runs for.

This local copy is only accessible by authorized employees of webapp.io, and our hosting provider.


webapp.io allows you to store secret values in a special section of the run dashboard and expose them with the SECRET ENV directive.

These secrets are encrypted at rest with military-grade AES256. They are only accessible by administrators of your webapp.io account and authorized employees of webapp.io.

Staging servers

Staging servers exposed through EXPOSE WEBSITE can be exposed to the internet if they are not marked as "private." It's your prerogative to ensure that no sensitive data is exposed inadvertently by posting a link to the staging server, or creating a route to a staging server that is publicly accessible.

To maximize security, we recommend not putting any sensitive information on any server exposed by EXPOSE WEBSITE.

Authorized employees

Only authorized employees of webapp.io are given access to our production servers. These employees are senior engineering leaders and executives of webapp.io, which have been thoroughly vetted.

Access control

Webapp.io allows organizations to configure Role Based Access Control (RBAC) for their users. A full list of the permissions available to administrators and their functionalities can be viewed in Our Documentation

Our hosting provider

We run our entire stack and store all of our data on resources provided by OVH, a multinational cloud provider.

Our hosting provider has the following certifications:

  • - ISO 27001
  • - SOC 1 Type II
  • - SOC 2 Type II
  • - CISPE
  • - PCI DSS
  • - EBA
  • - HIPAA & HDS