The word Security above the Buildkite logo, next to an image of a shield with the Buildkite logo as a constellation, a green tick


Contact details and information about
our security policies and procedures.

Compliance and security

Security is at the core of everything we do–we aim to meet industry standards and customer expectations for security controls, enabling our customers to focus on building best-in-class tools and experiences. To request a copy of our latest reports, please contact

Platform Security


Physical Access

All of our services run in the cloud. Buildkite does not run its own routers, load balancers, DNS servers, or physical servers.

Application Security

Training and Review

All code is reviewed by a senior engineer with security best practice training before being deployed to production systems.

Automated Testing and Build Processes

We have an extensive set of automated testing procedures that are run for every code change.

Software Dependencies

Buildkite keeps up to date with software dependencies and has automated tools scanning for common security issues including Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection.

Development and QA Environments

These environments are separated physically from Buildkite’s production environment. No customer data is ever used in development or QA environments.

User Logins

We protect against brute force attacks with rate limiting technology. All sensitive data such as password and API tokens are filtered out of logs and exception trackers. User passwords are cryptographically hashed and salted before being stored in our database.

Penetration Testing

Buildkite performs regular penetration test audits with a contracted third party.

Data in Transit

All data transferred in and out of Buildkite is encrypted using hardened TLS. Buildkite is also protected by HTTP Strict Transport Security and is pre-loaded in major browsers. Additionally, data transferred to and from Buildkite’s backend database is encrypted using TLS.

Policies and Compliance

Employee Access to Data

Buildkite employees will only ever access customer data when it’s required for support related duties. When a customer contacts support, support staff may sign into their account to help debug a problem with builds or check pipeline settings. When this happens, staff will do their best to respect customer privacy and only access the builds and settings required to diagnose and debug the issue.

Buildkite does not have access to customer source code on self-hosted agents, or artifacts customers host on third parties such as Amazon S3 or Google Cloud.

PCI Obligations

Buildkite is not subject to PCI obligations. All payments processing is outsourced to Pin Payments and Stripe.

Documentation and Change Control

We manage all our infrastructure as code, allowing us to audit and peer review any changes, and to provide a secure and automated process for applying these changes.

Contact Us

If you’ve got any questions,
don’t hestitate to contact our team.