CircleCI Security

SOC 2 Type II provides CircleCI with an opportunity to meet (and exceed) industry standards and gives our customer organization’s access to industry-recognized, standardized reports that they can compare across services in our space. Achieving SOC 2 Type II compliance means that CircleCI has put in place and follows the procedures and security policies necessary to reduce risks, and that their processes can be requested and audited. Learn more about SOC 2 Type II at https://www.aicpa.org/.

Our FedRAMP Tailored designation demonstrates that CircleCI meets US government data security standards and is authorized for use within US government agencies. Learn more about the FedRAMP certification at https://www.fedramp.gov/.

The certification ensures that CircleCI meets all data transfer security standards for the United States, the EU, and Switzerland under the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. Learn more about Privacy Shield at https://www.privacyshield.gov/welcome.

CircleCI has documented security controls which meet the rigorous standards for cloud data security set by the Cloud Security Alliance. Download a copy of CircleCI’s Star Registry answers at https://cloudsecurityalliance.org/.

CircleCI leverages the PCI compliance of Chargify, Stripe and Zuora.

All CircleCI employees and contractors must pass a background check and sign confidentiality agreements.

CircleCI mandates that new employees attend classes covering security best practices.

Engineers are required to attend an additional technical security workshop.

CircleCI maintains various security policies which are maintained and communicated by our security management team.

CircleCI requires all partners and third-party vendors to fill out a security questionnaire. Those which handle PII are also required to sign a Data Processing Addendum.

CircleCI maintains a security hall of fame which lists persons who have helped CircleCI to identify a security vulnerability. Report a security concern

CircleCI maintains a dedicated Incident Response Team.

CircleCI maintains an Incident Response Policy and Runbook to facilitate decision making during critical situations.

Network and security incidents are published at https://status.circleci.com/

CircleCI headquarters employs 24-hour door personnel and badge access is required at all hours. Visitors are required to sign in and be escorted at all times.

CircleCI’s remote offices in Denver, Toronto, Boston, Japan, and London implement similar physical security controls to the San Francisco headquarters.

CircleCI uses Amazon Web Services for its Linux fleet and Google Cloud Platform for supplementary computing. Both vendors are industry leaders in security and privacy.

CircleCI owns and operates a macOS fleet housed at the Milwaukee Colo datacenter in Milwaukee. No CircleCI employee has physical access to the machines and all administration is done remotely. Datacenter engineers are the only people with access to provisioning machines, updating or deprovisioning machines. Federal regulators completed a full-day onsite audit in 2019 to assess the security, availability and integrity of the facility. Extensive badging, access logging, and other security controls are in place, all of which have been audited and approved under SOC 2 Type II compliance.

CircleCI implements a Docker-centric vulnerability scanning tool in its software development CI/CD process. Patching timelines CircleCI’s cloud service are:
Critical - 14 to 30 days | High - 14 to 30 days | Medium - 45 to 90 days | Low - 90 to 180 days. Monthly scans are submitted to federal authorities as part of ongoing FedRAMP compliance.

CircleCI maintains a formal Audit Policy governing application events, system events, hardware events, and physical access. This includes the what, when, and where of the event, its source, its object, its outcome, and the person associated with it.

CircleCI’s architecture consists of multiple layers of data security including a DMZ, bastion hosts, and iptables.

CircleCI’s Site Reliability, Support and Engineering teams are globally distributed for 24/7/365 coverage.

CircleCI runs all builds in isolated sandboxes that are destroyed after each use.

All data in transit is encrypted via TLS and SSH.

Environment variables are encrypted at rest and in transit, and injected into the runtime environment at the start of a job. All sensitive secrets such as keys, tokens, and other credentials should be stored as environment variables within CircleCI.

Source code is always encrypted via TLS and SSH in transit, but is not encrypted at rest. Source code at rest is secured behind multiple layers of architecture security such as DMZ, bastion hosts, and iptables.

CircleCI maintains a Data Backup and Snapshot Policy that requires restoration capabilities within common industry timelines.

The Software Development Lifecycle Policy dictates delivery, review and merge processes to minimize rollbacks, downtime, design flaws and security incidents.

CircleCI employs a team of Site Reliability Engineers ensuring that the CircleCI application security layers are consistently maintained.

CircleCI's web application is designed to withstand OWASP Top 10 matters such as injections, broken authentication and session management, cross-site scripting (XSS), insecure direct object references, missing function level access control, cross-site request forgery (CSRF), unvalidated redirects and forwards.

Third-party penetration testers are hired quarterly to test the CircleCI application, network, infrastructure, and new products for vulnerabilities. Coverage ranges from OWASP Top 10 to threat modeling of new product features.