team_header.png

SLEUTH TRUST CENTER

Security is very important to us. We are proud to follow industry best practices when it comes to protecting your organization.

Security

We protect your data with encryption in transit and at rest and provide administrative controls to enforce organization-wide protection such as SSO and enforced 2FA (via SSO). We provide RBAC to allow administrators to manage access levels within your organization.

  • SSO via Google, GitHub & Bitbucket logins

  • 2FA via SSO providers

  • Role-based access control (RBAC)

  • Application audit logs (coming soon)

If you discover a security vulnerability please disclose it via emailing security@sleuth.io. Read our disclosure policy

Compliance

We are currently pursuing our SOC® 2 Type 2 compliance certification. We are employing industry best-practices and are confident we will pass our certification once auditing is completed. These practices include:

  • Enforced SSO & 2FA and recurring user access reviews

  • Enforced review for all code changes

  • Automated end-to-end testing gating deploys

  • Encrypted network access and data storage

Reliability

Sleuth is designed for high performance and availability, and is built on best-in-class core technologies, such as AWS Fargate, RDS, Elasticsearch and ElastiCache. Our infrastructure spans 3 Availability Zones for uninterrupted availability. 

  • AWS managed services for data and backups

  • No long-lived servers, auto-security patching

  • No publicly exposed access to VPCs

  • Real-time Status Transparency

Privacy

We are committed to protecting the privacy of your data. We allow customers to completely delete their data from our systems. We encrypt sensitive data within our datastore. We utilize third-party bug bounties for security testing.

  • Third-party bug bounties

  • GDPR compliant

  • Sensitive data encrypted within datastore

  • Minimal PII collection: email, name, linked accounts

Integration Access Levels

Sleuth relies on third-party integrations to track deploys. These integrations ask for elevated privileges, often write access. This is so we can add webhooks and automate the collection of deploy data. All access can be revoked via Sleuth or via the third-party tool. Sleuth will never use this access for any purpose other than collecting deploy data and taking actions in support of deploys.

  • GitHub/Bitbucket - write access for: webhook install, PR merge statuses, PR merging

  • Rollbar - write access for: project token creation

  • Slack - send notifications and read reactions

  • LaunchDarkly - write access for webhook install

Footer_top.png

©2020 Sleuth