Security & Privacy

We take security seriously.
We conduct comprehensive audits of our applications, systems, and networks to ensure that your data is always protected.

Source Code Protection

All access to source code repositories is performed using encrypted connections, either via SSH or TLS. Depending on the version control system, access to private repositories is obtained via an SSH deploy key or a token. Haystack never writes to repositories.

Source Code Protection on Haystack

Haystack does not persist source code files. At the point our system executes analysis, it is performed using the Github API and source code content is not downloaded or persisted. We only persist metrics and necessary metadata to our database.

Employee Access to Customer Data

No Haystack staff will access private source code unless required for support reasons, or responding to an incident. In cases where staff must access source code in order to perform support, we will get your explicit consent each time, except when responding to a security issue or suspected abuse.

When working a support issue we do our best to respect your privacy as much as possible, we only access the minimum files and settings needed to resolve your issue.

Product Security

All access to source code repositories is performed using encrypted connections, either via SSH or TLS. Depending on the version control system, access to private repositories is obtained via an SSH deploy key or a token. Haystack never writes to repositories.

Single Sign On (SSO)

Our products support single sign on (SSO) via GitHub.com for authentication.

Password and Credential Storage

Haystack enforces a password complexity standard and credentials are salted and encrypted using BCrypt.

Uptime

Our systems have uptime of 99% or higher, and we proactively post status updates for production incidents.

Network and application Security

Data Hosting and Storage

Haystack hosts its infrastructure and data in Digital Ocean. We follow Digital Ocean's best practices which allows us to take advantage from their secured, distributed, fault tolerant environment. To find out more information about Digital Ocean security practices, see: https://www.digitalocean.com/legal/data-processing-agreement

Failover and Disaster Recovery

Our systems were designed and built with disaster recovery in mind. Our systems will continue to work should any one of those data centers fail.

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access controls that prevent unauthorized connections to internal resources.

Back Ups and Monitoring

Haystack uses automation to backup all datastores that contain customer data. On an application level, we produce audit logs for all activity.

Permissions and Authentication

Access to customer data is limited to authorized employees who require it for their job. All access to the Haystack websites is restricted to HTTPS encrypted connections.

Haystack enforces policies that requires strong password policies on GitHub, Google and Digital Ocean to ensure access to cloud services are protected.

Encryption

All data sent to or from Haystack systems is encrypted in transit using 256 bit encryption. Sensitive data such as tokens and credentials are stored in a secured database, salted and encrypted.

Incident Response

Haystack implements an Incident Response Policy for handling security events which includes escalation procedures, rapid mitigation and post mortem. All employees are informed of our policies.

Additional Security Information

Policies

Haystack has developed a comprehensive set of security policies covering a range of topics. These policies are updated frequently and shared with all employees.

Employee Vetting

Haystack performs background checks on all new employees in accordance with local laws. The background check includes employment verification and criminal checks for US employees.

Confidentiality

All employee contracts include a confidentiality agreement.

PCI Obligations

When you purchase a paid Haystack subscription, your credit card data is not transmitted through nor stored on our systems. Instead, we depend on Stripe, a company dedicated to this task. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe's security information is available online.

Privacy and Data Protection

Reporting An Issue

If you think you may have found a security vulnerability, please get in touch with our security team at security@usehaystack.io