Security, Privacy, and Compliance
Working with ngrok means working with a vetted, secure solution &Â
seasoned team who understands security
TRUSTED BY OVER 5 MILLION DEVELOPERS AND RECOMMENDED BY CATEGORY LEADERS
Security at ngrok
The ngrok service is designed, built, maintained, monitored, and regularly updated with security in mind. To deliver our service with confidentiality, integrity and availability, we use the shared security responsibility model, a framework adopted by many cloud providers — including Amazon AWS, Microsoft, and Salesforce — to identify the distinct security responsibilities of the customer and the cloud provider. In this model:
- ngrok is responsible for the security of the ngrok service. ngrok is also responsible for providing features you can subscribe to in order to secure your services.
- Our customers are responsible for securing how they use the ngrok service. This includes, for example, granting the correct permissions to users and administrators, disabling accounts and auth tokens when employees are terminated, properly configuring features required to protect your data, and keeping ngrok agents updated in our systems.
How ngrok secures its software development process
The ngrok software development lifecycle is designed with precautions to reduce security risks during code development while delivering software functionality. ngrok adopts rigorous processes and automation to ensure consistency across the development.
We use an identity provider, which enforces minimum password requirements and multi-factor authentication.
We require our vendor applications to have two-factor authentication or use SSO with our identity provider.
Our internal applications are part of a zero-trust setup via OAuth and OIDC. We gate access to our codebase using GitHub. Developer credentials are rotated based on a set schedule in an automated fashion.
We follow industry standard best practices when it comes to updating and deploying our code.
We leverage automated tools to scan our code for a variety of issues, including syntax errors, code style, code quality, CVEs in our container builds, outdated dependencies, and more.
Before code is merged to our master branch, we run automated tests against the build for this code change.
All code merged to our master branch must also be reviewed by a human being as well through a pull request.
We have an automated process for deploying our code changes to production. We leverage Terraform, an infrastructure as code tool, to track changes to our infrastructure.
We require developer machines to have full hard disk encryption. Developers are required to use Chrome as their browser.
All vendor products we use go through a security review and are tracked internally with documentation.
We have internal security policies that employees are trained to follow. These include: remote access, information logging, acceptable encryption, acceptable use, and web application security policies.
How ngrok secures its service
ngrok implements runtime controls at the service level to ensure the confidentiality, integrity, and availability of its service.
Our general philosophy for keeping our production environments secure has two main components: defense in depth and principle of least privilege.
We practice 'least privilege' access grants. Engineers get the minimum level of production access they need.
Shell access to production machines uses industry best practices of SSH certificate authorities to grant time-limited access in extraneous circumstances.
We keep audit logs of all grants to access production machines.
Services that manipulate cloud resources are granted least privilege access grants via an associated 'Role' they assume to perform those operations.
All data is encrypted at rest. This includes databases, host filesystems, network-mounted file systems, and data sent to data warehousing services.
All secrets and keys uploaded by users are further encrypted at the application layer with keys that only we control.
All internal secrets used by ngrok are stored encrypted at rest with key rotation using industry secret key storage provided by HashiCorp Vault.
For API keys, credential tokens, and passwords, we only keep one-way salted hashes of users' credential tokens.
Resources
Recommendations for using ngrok securely
This guide will walk you through recommendations for ensuring you are using ngrok securely.
Best security practices on developer productivity
Learn the best practices to secure developer teams using ngrok while leveraging your company security stack.
ngrok
Trust portal
Learn more about ngrok's security controls. Access our compliance certifications and attestations.
ngrok
Service status
Review ngrok's real-time and historical data on system performance.
Privacy
As a company, ngrok complies with the General Data Protection Regulation (GDPR). We take customer data privacy seriously, ensuring that:
All new vendors, assets and activities pertaining to processing personal data are subject to a review of privacy, security, and compliance.
Personal data is properly collected, stored, and documented.
Relevant processes are followed for transfers of personal data outside the European Union / UK.
For more information, read our privacy policy.
Data Sovereignty
Our customers can use ngrok through our public service or our private offering for complete control of their data and processes.
For more information about our private offering, contact our sales team.
Compliance
ngrok is both SOCÂ 2 Type 1Â and Type 2Â compliant.
The SOC 2 Type 1Â compliance certifies that ngrok's security processes and operations are in place while Type 2Â audits that we follow these processes and operations on a daily basis, meeting AICPA's trust services criteria for security, availability, and confidentiality.
ngrok provides access to the SOCÂ 2 reports as well as all third party security upon request at the ngrok security and trust portal.
