Data at ngrok: A primer
Here at ngrok, we aim to build developer experiences for our users that “just work.” We want our IT, security, and compliance users to have the same easy experience understanding ngrok as developers.
Let’s start at the beginning - what personal data does ngrok have?
When you use ngrok, the following data will be transmitted over the ngrok platform:
Proxied data - This is data that’s sent via ngrok tunnels
The data traversing ngrok tunnels is entirely determined by ngrok customers. This will most likely be the most sensitive data being sent through ngrok. The good news is our tunnels are where you have the most options to configure security controls - this means that you can leverage the default https or set up zero knowledge encryption so ngrok never sees the raw data.
The following personal data will be stored by the ngrok platform:
IP addresses
The IP address/es of connections through the Proxy Service and the network within which you are running the ngrok agent
Details about the machine on which the ngrok Agent is running
This could include its operating system, CPU architecture, and anonymized information about the hardware and software environment Information from your browser or device such as IP addresses of all requests and your HTTP client user agent.
If you use the following features of ngrok, we may store additional info:
Traffic Inspector provides network traffic observability throughout the ngrok platform
By default, the ngrok Traffic Inspector will only store the metadata about each request and response. Full Capture mode is an opt-in setting on your ngrok account that will store the full request and response parameters, headers, and bodies for each traffic event that flows through your endpoints. Full Capture mode may capture sensitive data based on the use case. This data is stored for 3 days.
Event Store is event logging within ngrok’s platform
ngrok stores events when configuration changes occur in your account. This includes events like agent session start / stop, API key created / updated, and IP Policy created / deleted. A full list of events and data included in these events can be found at https://ngrok.com/docs/obs/reference/#traffic-events. This data is stored indefinitely.
Where is your data transmitted and stored?
ngrok is split into a control plane and data plane. The control plane is responsible for handling API requests and is the source of truth for account and user data. The data planes are responsible for hosting the tunnels and routing the customer traffic. ngrok also leverages several third party providers when handling customer data.
Control Plane: Any information stored by ngrok would reside in the control plane. This is hosted out of a US-based AWS region.
Data Plane: Customer traffic runs through ngrok’s regional data planes, located in Australia (Sydney), Europe (Frankfurt), India (Mumbai), Japan (Tokyo), South America (São Paulo), United States (California and Ohio)*.
By default, ngrok will route traffic via the most low latency route. Customers can control which regional data plane their tunnels connect to via the agent configuration and which regional data plane their customers connect into via DNS. If a region is specified, customer traffic will only be routed through that region.
How long is your data retained?
ngrok will retain data at the direction of our customers. Customers can delete their data at any time within the ngrok Dashboard or by contacting ngrok support.
How is your data secured?
Public Internet: TLS 1.2 or higher is used to secure traffic over the public internet.
Control Plane: Any information stored by ngrok would reside in the control plane. All data is encrypted at rest. This includes databases, host filesystems, network mounted file systems, and data sent to data warehousing services.
Data Plane: Data sent over ngrok tunnels via our Data Planes can be secured in a number of different ways, depending on how a customer configures ngrok.
- For HTTP traffic, ngrok opens only HTTPS endpoints and manages TLS certificate generation, renewal, and termination automatically. This eliminates configuration for your team while allowing our modules to handle content inspection, authentication, and webhook verification. Customers can also provide their own TLS certificates.
- Customers can also configure end-to-end encryption using ngrok’s TLS or TCP tunnels. This requires configuring either your local service or the ngrok agent with the appropriate TLS key and certificate. It is the most secure option and helps you meet security and compliance requirements from the start but limits the additional capabilities ngrok can provide.
Third parties
ngrok leverages several third parties to provide services to our customers. Our list of subprocessors can be found at trust.ngrok.com. These third parties are evaluated as part of ngrok’s vendor management program. Due diligence processes are performed based on an inherent risk assessment and are reviewed as a part of our SOC2.
Learn more about security and compliance at ngrok
More information on our security program is available at trust.ngrok.com. Information on how to securely configure the ngrok platform is located at docs.ngrok.com. You can also check out docs for the most up to date information regarding data plane regions.
To sign up to receive timely, low volume security and privacy updates from ngrok, hit up our Trust Center. And as always, we’re here to answer any questions you have. Drop us a line: [email protected].