AppflowSecurity.

SOC 2 Type II Compliance

We take our customers' data privacy and governance seriously, and are committed to protecting their sensitive information by adhering to the strictest standards. SOC 2 Type II compliance provides independent verification you can trust.

Source code protection

Access to source code via your version control system is always encrypted using SSH and/or HTTPS.

Environment variables (secrets)

Environment secrets stored within Appflow are encrypted and only available at runtime for a short duration during builds.

Virtualized environment

All builds in Appflow are run on isolated, ephemeral virtual machines that are securely destroyed after each use.

Build log output & artifacts

Encryption is employed over the wire using SSH and/or HTTPS for both console output and artifacts. Both are only available to those with read access to your repository.

Access Control

Appflow inherits 2FA authentication established in your identity provider, as well as standard login with complex password requirements.

Encryption communication

All data traffic is encrypted via TLS and SSH.

Environment variable encryption

Environment variables are encrypted at rest and in transit, and injected into the runtime environment at the start of a job. All sensitive secrets such as keys, tokens, and other credentials should be stored as environment variables within Appflow.

Source code encryption

Source code is always encrypted in transit via TLS and SSH and is only stored temporarily in ephemeral virtual machines within Appflow.

Data backup

Ionic maintains a data backup policy that follows industry best practices.

Vulnerability scanning

Docker images and EC2 instances are continuously scanned for vulnerabilities using Amazon Inspector.

Architecture

Appflow’s architecture consists of multiple secure network layers.

Build isolation

All builds in Appflow are run on isolated, ephemeral virtual machines that are securely destroyed after each use

Secure coding

Any changes that make their way into production must first be reviewed and approved. Code refactoring must adhere to secure coding principles and industry best practices such as those defined by OWASP.

Site reliability

Ionic’s team of cloud engineers work to maintain Appflow’s infrastructure, historically achieving 99.9% uptime.

Application penetration testing

Appflow is regulary tested by reputable third-party penetration testers to ensure the security of the application.

Background checks

All Ionic employees are subject to background checks and sign confidentiality agreements.

Employee security awareness

Ionic mandates all employees take security awareness, best practice, and incident response training.

Security coding education

Ionic Engineers are required to take secure coding training in addition to their generally mandated security education.

Policies

Ionic’s security management team upholds a variety of security policies which employees must read and accept.

Partner management

Ionic requires all critical third-party vendors to achieve SOC 2 certification at the minimum and verifies certifications annually.

Incident response team

Ionic stands at the ready with a dedicated Incident Response Team.

Incident response policy & plan

An incident response policy is maintained and managed by a dedicated incident response team at Ionic.

Communication

In the event of system-wide issues, customers are notified by their dedicated Customer Success Manager. Appflow's system status and network and security incidents are published at https://status.ionicframework.com.

HQ security

Ionic headquarters is under 24-hour supervision. Each employee’s unique passcode is required to gain access at the office door during all hours. Visitors are required to sign in and be escorted at all times.

Remote security

Ionic’s remote employees adhere to strict security protocols and are issued secure hardware.

Linux & macOS fleet security

Ionic utilizes Amazon Web Services (AWS) for both its Linux and macOS fleet. AWS is an industry leader in security and privacy. Since Ionic employees don’t have physical access, all work is done remotely. Only authorized employees have access to provisioning machines, updating, or de-provisioning machines.