SOC 2 Type II Compliance
We take our customers' data privacy and governance seriously, and are committed to protecting their sensitive information by adhering to the strictest standards. SOC 2 Type II compliance provides independent verification you can trust.
Source code protection
Access to source code via your version control system is always encrypted using SSH and/or HTTPS.
Environment variables (secrets)
Environment secrets stored within Appflow are encrypted and only available at runtime for a short duration during builds.
All builds in Appflow are run on isolated, ephemeral virtual machines that are securely destroyed after each use.
Build log output & artifacts
Encryption is employed over the wire using SSH and/or HTTPS for both console output and artifacts. Both are only available to those with read access to your repository.
Appflow inherits 2FA authentication established in your identity provider, as well as standard login with complex password requirements.
All data traffic is encrypted via TLS and SSH.
Environment variable encryption
Environment variables are encrypted at rest and in transit, and injected into the runtime environment at the start of a job. All sensitive secrets such as keys, tokens, and other credentials should be stored as environment variables within Appflow.
Source code encryption
Source code is always encrypted in transit via TLS and SSH and is only stored temporarily in ephemeral virtual machines within Appflow.
Ionic maintains a data backup policy that follows industry best practices.
Docker images and EC2 instances are continuously scanned for vulnerabilities using Amazon Inspector.
Appflow’s architecture consists of multiple secure network layers.
All builds in Appflow are run on isolated, ephemeral virtual machines that are securely destroyed after each use
Any changes that make their way into production must first be reviewed and approved. Code refactoring must adhere to secure coding principles and industry best practices such as those defined by OWASP.
Ionic’s team of cloud engineers work to maintain Appflow’s infrastructure, historically achieving 99.9% uptime.
Application penetration testing
Appflow is regulary tested by reputable third-party penetration testers to ensure the security of the application.
All Ionic employees are subject to background checks and sign confidentiality agreements.
Employee security awareness
Ionic mandates all employees take security awareness, best practice, and incident response training.
Security coding education
Ionic Engineers are required to take secure coding training in addition to their generally mandated security education.
Ionic’s security management team upholds a variety of security policies which employees must read and accept.
Ionic requires all critical third-party vendors to achieve SOC 2 certification at the minimum and verifies certifications annually.
Incident response team
Ionic stands at the ready with a dedicated Incident Response Team.
Incident response policy & plan
An incident response policy is maintained and managed by a dedicated incident response team at Ionic.
In the event of system-wide issues, customers are notified by their dedicated Customer Success Manager. Appflow's system status and network and security incidents are published at https://status.ionicframework.com.
Ionic headquarters is under 24-hour supervision. Each employee’s unique passcode is required to gain access at the office door during all hours. Visitors are required to sign in and be escorted at all times.
Ionic’s remote employees adhere to strict security protocols and are issued secure hardware.
Linux & macOS fleet security
Ionic utilizes Amazon Web Services (AWS) for both its Linux and macOS fleet. AWS is an industry leader in security and privacy. Since Ionic employees don’t have physical access, all work is done remotely. Only authorized employees have access to provisioning machines, updating, or de-provisioning machines.