Solano Labs Security Policy
We know that your source code is of the utmost importance to you and your business.Our goal is to treat it with the same care that we would treat our own.
Solano CI is a hosted service that runs on Tier 1 cloud providers. Unless otherwise directed by you, we will run your tests in any one of a number of different data centers administered by one of our hosting providers. We will not transfer your code to or run your tests in a different cloud hosting provider without giving you prior notice and the opportunity to direct us to use particular supported hosting providers. You can read more about the physical and system security policies of our providers here:
- We use a patched Linux distribution and apply regular software updates to provide continuing protection from security exploits.
- We use firewalls to restrict access to both centralized infrastructure and individual worker instances.
- We use modern cryptographic techniques to authenticate and encrypt internal network traffic.
- We do not run user-provided code on any core, shared system. User code runs only in individually siloed environments on work instances.
All sensitive data is transferred over SSL or SSH encrypted connections. All user source code is transmitted over SSH connections authenticated with SSH keys and not passwords.
SSH login credentials used to transfer user source code to Solano CI cannot be used to gain access to a shell or to gain unfettered access to the file system on any central, shared server. All file system access on central servers is via git only. SSH login credentials cannot be used to log in directly to a worker instance running user tests. Worker instances do run user code but are not shared by multiple users.
Solano CI users are issued passwords and API keys to mediate access to the service. User passwords are sensitive data that should be treated with care. API keys are transmitted over SSL, are readily revocable, and are limited in scope.
- The password issued to an account administrator user can be used to add or remove other users and to update key material such as API keys and authorized SSH keys. It is the responsibility of the end user to protect his password with care.
- The password issued to a non-administrative user can be used to update key material such as API keys and authorized SSH keys for that user only.
- The primary API key issued to any user is a password equivalent and should be handled with commensurate care.
- The API keys issued to a user to authorize a git hook such as a post-commit hook on Github cannot be used to gain access to source code, to take any administrative action, or to view test reports or other account data.
- The API keys issued to worker instances on behalf of a user cannot be used to gain access to source code or to take any administrative action such as adding or removing users in an account or altering authorized SSH keys for the account. It only allows the worker instance to receive commands and to report results.
We replicate our own source code both inside and outside the data center to facilitate disaster recovery. We maintain the ability to bring up backup infrastructure in the case of a disaster such as a wide-spread hardware failure.
Solano CI is a hosted testing environment, not a hosted source repository provider or backup service. We keep backups to facilitate recovery in the case of disaster, but customers should not rely on Solano CI as a backup provider. That is, backups of customer data are secure but availability is a best-effort service. In a disaster recovery scenario, customers may be required to push their source code to Solano CI again.
Employees do not have direct access to your source code. Employees may only examine your repository with your consent and only if required to do so in order to support you.
Credit Card Data Security
We use Recurly, a third party credit card processor to handle your credit card data. We do not handle or store your sensitive billing data. Recurly itself adheres to the PCI Data Security Standard PCI DSS and encrypts all sensitive data. For more information, please refer to Recurly's security policy.