Move forward with confidence. We offer multiple levels of protection to keep your intellectual property and sensitive data secure.

Product security

  • SOC 2 Type II Compliance

  • We take our customers' data privacy and governance seriously, and are committed to protecting their sensitive information by adhering to the strictest standards. SOC 2 Type II compliance provides independent verification you can trust.

  • Source code protection

  • Access to source code via your version control system is always encrypted using SSH and/or HTTPS.

  • Environment variables (secrets)

  • Environment secrets stored within Appflow are encrypted and only available at runtime for a short duration during builds.

  • Virtualized environment

  • All builds in Appflow are run on isolated, ephemeral virtual machines that are securely destroyed after each use.

  • Build log output & artifacts

  • Encryption is employed over the wire using SSH and/or HTTPS for both console output and artifacts. Both are only available to those with read access to your repository.

  • Access Control

  • Appflow inherits 2FA authentication established in your identity provider, as well as standard login with complex password requirements.

Data security

  • Encryption communication

  • All data traffic is encrypted via TLS and SSH.

  • Environment variable encryption

  • Environment variables are encrypted at rest and in transit, and injected into the runtime environment at the start of a job. All sensitive secrets such as keys, tokens, and other credentials should be stored as environment variables within Appflow.

  • Source code encryption

  • Source code is always encrypted in transit via TLS and SSH and is only stored temporarily in ephemeral virtual machines within Appflow.

  • Data backup

  • Ionic maintains a data backup policy that follows industry best practices.

Network security

  • Vulnerability scanning

  • Docker images and EC2 instances are continuously scanned for vulnerabilities using Amazon Inspector.

  • Architecture

  • Appflow’s architecture consists of multiple secure network layers.

  • Build isolation

  • All builds in Appflow are run on isolated, ephemeral virtual machines that are securely destroyed after each use

Application security

  • Secure coding

  • Any changes that make their way into production must first be reviewed and approved. Code refactoring must adhere to secure coding principles and industry best practices such as those defined by OWASP.

  • Site reliability

  • Ionic’s team of cloud engineers work to maintain Appflow’s infrastructure, historically achieving 99.9% uptime.

  • Application penetration testing

  • Appflow is regulary tested by reputable third-party penetration testers to ensure the security of the application.

Business security

  • Background checks

  • All Ionic employees are subject to background checks and sign confidentiality agreements.

  • Employee security awareness

  • Ionic mandates all employees take security awareness, best practice, and incident response training.

  • Security coding education

  • Ionic Engineers are required to take secure coding training in addition to their generally mandated security education.

  • Policies

  • Ionic’s security management team upholds a variety of security policies which employees must read and accept.

  • Partner management

  • Ionic requires all critical third-party vendors to achieve SOC 2 certification at the minimum and verifies certifications annually.

  • Incident response team

  • Ionic stands at the ready with a dedicated Incident Response Team.

  • Incident response policy & plan

  • An incident response policy is maintained and managed by a dedicated incident response team at Ionic.

  • Communication

  • In the event of system-wide issues, customers are notified by their dedicated Customer Success Manager. Appflow's system status and network and security incidents are published at

Physical security

  • HQ security

  • Ionic headquarters is under 24-hour supervision. Each employee’s unique passcode is required to gain access at the office door during all hours. Visitors are required to sign in and be escorted at all times.

  • Remote security

  • Ionic’s remote employees adhere to strict security protocols and are issued secure hardware.

  • Linux & macOS fleet security

  • Ionic utilizes Amazon Web Services (AWS) for both its Linux and macOS fleet. AWS is an industry leader in security and privacy. Since Ionic employees don’t have physical access, all work is done remotely. Only authorized employees have access to provisioning machines, updating, or de-provisioning machines.

Frequently asked questions