Contact details and information about
our security policies and procedures.
Security is at the core of everything we do–we aim to meet industry standards and customer expectations for security controls, enabling our customers to focus on building best-in-class tools and experiences. To request a copy of our latest reports, please contact firstname.lastname@example.org.
All of our services run in the cloud. Buildkite does not run its own routers, load balancers, DNS servers, or physical servers.
All code is reviewed by a senior engineer with security best practice training before being deployed to production systems.
We have an extensive set of automated testing procedures that are run for every code change.
Buildkite keeps up to date with software dependencies and has automated tools scanning for common security issues including Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection.
These environments are separated physically from Buildkite’s production environment. No customer data is ever used in development or QA environments.
We protect against brute force attacks with rate limiting technology. All sensitive data such as password and API tokens are filtered out of logs and exception trackers. User passwords are cryptographically hashed and salted before being stored in our database.
Buildkite performs regular penetration test audits with a contracted third party.
All data transferred in and out of Buildkite is encrypted using hardened TLS. Buildkite is also protected by HTTP Strict Transport Security and is pre-loaded in major browsers. Additionally, data transferred to and from Buildkite’s backend database is encrypted using TLS.
Buildkite employees will only ever access customer data when it’s required for support related duties. When a customer contacts support, support staff may sign into their account to help debug a problem with builds or check pipeline settings. When this happens, staff will do their best to respect customer privacy and only access the builds and settings required to diagnose and debug the issue.
Buildkite does not have access to customer source code, or artifacts customers host on third parties such as Amazon S3 or Google Cloud.
Buildkite is not subject to PCI obligations. All payments processing is outsourced to Pin Payments and Stripe.
We manage all our infrastructure as code, allowing us to audit and peer review any changes, and to provide a secure and automated process for applying these changes.
If you need to secure your communications with us, use our PGP details below.
Find us on Keybase, where you can symmetrically PGP encrypt a message before emailing it to us.keybase.io/buildkite
-----BEGIN PGP PUBLIC KEY BLOCK-----
-----END PGP PUBLIC KEY BLOCK-----
If you’ve got any questions,
don’t hestitate to contact our team.