Shippable Hosted Security Policy

Code security


We take the security of your codebase very seriously - we know how important it is for you and your business to protect it from any attacks.

No Shippable employee will ever read your code unless we obtain explicit permission from you in response to a support request. Even in response to a support request, only a very restricted number of employees are allowed to read customer code.

We may gather macro business intelligence about characteristics of active projects and repositories to figure out what feature and service enhancements we should include in the Shippable roadmap. This will only include projects which have already been set up in Shippable and will not involve reading any actual code.

Account Payment


You are billed at the start of each billing cycle and the credit card we have on record for you is charged automatically. Payments are non-refundable, so there will be no refunds for any reason, such as canceling your account or downgrading your plan. Any such changes to your account will be effective on your next billing cycle.

One person or legal entity may not sign up for more than one free trial account.If you upgrade from the free trial to a paid plan, you will be billed immediately since your monthly subscription cycle begins immediately after you upgrade.

For any upgrade or downgrade in plan level, your credit card will be automatically charged the new rate on your next billing cycle.

You may lose content or features if you downgrade your service.Shippable does not accept any liability for such loss.

Security model


All your tests are run in a sandbox, so customers are only able to access their own code. Each sandbox is firewalled, and it is not possible to access a sandbox from another sandbox or from the internet.

We use Vault to store all sensitive data like integrations configuration for maximum security.

GitHub and Bitbucket authorization


We need to check out your code from GitHub and/or Bitbucket in order to run your tests. When you sign up for Shippable, you might be asked to provide us with access to your private repositories. You can revoke this permission at any time through your GitHub application settings page and by removing Shippable's Deploy Keys and Service Hooks from your repositories' Admin pages.

Please note that GitHub's permissions model is "all or nothing" — Shippable gets permission to access all of a user's repositories or none of them. Please contact GitHub if you want them to change this model.

Partners with access to your source code


Shippable uses Amazon EC2, so we check out your code onto Amazon's EC2 machines. If the EC2 service becomes vulnerable, your source code may also become vulnerable to accidental disclosure. Please read Amazon's Security Center to understand this in greater detail.

Other partners


A few other partners have access to limited amounts of customer data so that we can use their services for billing, email, etc. These partners will never have access to your account or your code repositories.

Questions?


Please contact us at support@shippable.com if you have any questions about this Security Policy.

Last updated


This policy was last updated on 5th February, 2017.