Security

Contact details and information about
our security policies and procedures.

Platform Security

Infrastructure

Physical Access

All of our services run in the cloud. Buildkite does not run it’s own routers, load balancers, DNS servers, or physical servers.

Application Security

Training and Review

All code is reviewed by a senior engineer with security best practice training before being deployed to production systems.

Automated Testing and Build Processes

We have an extensive set of automated testing procedures that are run for every code change.

Software Dependencies

Buildkite keeps up to date with software dependencies and has automated tools scanning for common security issues including Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection.

Development and QA Environments

These environments are separated physically from Buildkite’s production environment. No customer data is ever used in development or QA environments.

User Logins

We protect against brute force attacks with rate limiting technology. All sensitive data such as password and API tokens are filtered out of logs and exception trackers. User passwords are one-way encrypted and salted before being stored in our database.

Penetration Testing

Buildkite performs regular penetration test audits with a contracted third party.

Data in Transit

All data transferred in and out of Buildkite is encrypted using hardened TLS. Buildkite is also protected by HTTP Strict Transport Security and is pre-loaded in major browsers. Additionally, data transferred to and from Buildkite’s backend database is encrypted using TLS.

Policies and Compliance

Employee Access to Data

Buildkite employees will only ever access customer data when it’s required for support related duties. When a customer contacts support, support staff may sign into their account to help debug a problem with builds or check pipeline settings. When this happens, staff will do their best to respect customer privacy and only access the builds and settings required to diagnose and debug the issue.

Buildkite does not have access to customer source code, or artifacts customers host on third parties such as Amazon S3 or Google Cloud.

PCI Obligations

Buildkite is not subject to PCI obligations. All payments processing is outsourced to Pin Payments and Stripe.

Documentation and Change Control

We manage all our infrastructure as code, allowing us to audit and peer review any changes, and to provide a secure and automated process for applying these changes.

PGP Key

If you need to secure your communications with us, use our PGP details below.

Keybase

Find us on Keybase, where you can symmetrically PGP encrypt a message before emailing it to us.

keybase.io/buildkite

Buildkite’s PGP Key

Key ID

6452D198

Fingerprint

mQENBFTHL0oBCADvaUEoRRDk4KIOm

Key

-----BEGIN PGP PUBLIC KEY BLOCK-----

mQENBFTHL0oBCADvaU++EoRRDk4KIOmD7ckUflNla3zF1As3WLD2iR8SdnlqZvgXGuX0PyjTzFerS0eYO+0dyj8MqjrCH39N83Mj3hEfXCQdCO/wnzOZytmuowR0hg8T4ESy/84TXnoXo+c7S+1a2Wz0IX9jrf390hKa70uSTvQ20CBbdiGI7JmoqiBGE1VeWWWY+utjEznY2HKrPRU6tBJbEH8laAqnJQra/nIGNQJ5iUZU+be0Q6DUvVDrsg50t4zgBoJ6g/yEuWdkP2DwaYdd1RA5EGTNYr4xuYYAK6h/3HCcSSHef3eYDPzH0UUEv7ttlnaXvMREhKsgsD0xb8kCyFnRqJf9TKDXABEBAAG0HUJ1aWxka2l0ZSA8ZGV2QGJ1aWxka2l0ZS5jb20+iQE3BBMBCgAhBQJUxy9KAhsDBQsJCAcDBRUKCQgLBRYDAgEAAh4BAheAAAoJEKeSBmlkUtGYqk4H/jIEqQZN8ILAH4eukwn3wejUZte+gAdmrQJ0rxwtmYlR3/dKZ4npnir1h30rUBncaB3lYIH1zyJk9ZbbnmmXQG/FuHY81qIYB6xdmBnQJK4OrKR8SMN3E/jDfefykK+BBtv8wOMfKLgaoJTPGbfoX0BdVj4rHta8kGVFgiKcmFRwozUi/oqBRTgd6z7kbQksoEcZp7zG7bO/8HuagwtYZJzF3x2UxAiFhLwcj+pGva/I8VzQWjUn0YHZhT/T66arMwvoGOq1OuHXGVr+j9c1p77BNuq6JLE3zcf7/N7ipwtzM6lIxC+ulh9eLnE3tmkEwBUfUK4hd5lCStT5GJ5ox+u5AQ0EVMcvSgEIAKq7uI9/+MBbtEjxdbupGicqY3D3FaLzh1xR7to0znfpgOUTLySPGleKtFZesIIPj/UXIdSeS99gzvn35lIWfUnLjfqBb2odfLOoPmqWGFp3G2K72Cm53139yZWybWSgBaFtRx7otnY5g6Wmd0pmFQcNRGdYgEDp/Bxz4pTuQKLMInsU9eujXLRaJSQp/8gaAGI/alsTkrQ6g1NxZuw1pomiKdQ6dNAVYp4Mjs8FPPNLfR3GNrZwdkOWt4MYeXm7nQpf8SSyomqWg+GGPktCSJ21e/WQxtWzSURol7BsgXQlhcPuMCmwBiTdP+nxA7qGsI420H+Ee0bvRzBvAB5SBKUAEQEAAYkBHwQYAQoACQUCVMcvSgIbDAAKCRCnkgZpZFLRmAV1B/9iBTgld2tnxJZAcuUo88Lw9S1gZ600rwsmPnTOqrNpalVnd2Ac9ue6jfkFyr6AGc+tXzsAkb0hJy8xu49qDFHqoGDBaAri7Q1tmfeLJ3h209TXQqzom/myWsSIB+pKvbq8LNj202Idsc+K4mIdhjCXLqJWp1XYWAag5PkM6/yBKIckaz8UIM+SFKOxCAFHC02Wezl6v6jUnodUQxhIQ3pVF3NJFf41DShbtrInG8wc3XwSOcQ2q75ifcZdHTSdzmJhWQToMlr0Ii7qc1g0et6iNxtZ3FVyr2S2+aVtJ3oDUxtbZoib96C4AcFesjihZv++ChVBBLBoED8FwNXIvxV6
=JFW7
-----END PGP PUBLIC KEY BLOCK-----

Contact Us

If you’ve got any questions,
don’t hestitate to contact our team.