Security, Privacy, and Compliance
Working with ngrok means working with a vetted, secure solution & seasoned team who understands security
Trusted by over 5 million developers and recommended by category leaders
Security at ngrok
The ngrok service is designed, built, maintained, monitored, and regularly updated with security in mind. We use the shared security responsibility model, a framework adopted by many cloud providers — including Amazon AWS, Microsoft, and Salesforce — to identify the distinct security responsibilities of the customer and the cloud provider. In this model:
How ngrok secures its software development process
The ngrok software development lifecycle is designed with precautions to reduce security risks during code development while delivering software functionality. ngrok adopts rigorous processes and automation to ensure consistency across the development.
How ngrok secures its service
ngrok implements runtime controls at the service level to ensure the confidentiality, integrity, and availability of its service.
Philosophy
Our general philosophy for keeping our production environments secure has two main components: defense in depth and principle of least privilege.
Access control
We practice 'least privilege' access grants. Engineers get the minimum level of production access they need. Shell access to production machines uses industry best practices of SSH certificate authorities to grant time-limited access in extraneous circumstances.We keep audit logs of all grants to access production machines. Services that manipulate cloud resources are granted least privilege access grants via an associated 'Role' they assume to perform those operations.
Data encryption
All data is encrypted at rest. This includes databases, host filesystems, network-mounted file systems, and data sent to data warehousing services. All secrets and keys uploaded by users are further encrypted at the application layer with keys that only we control.All internal secrets used by ngrok are stored encrypted at rest with key rotation using industry secret key storage provided by HashiCorp Vault. For API keys, credential tokens, and passwords, we only keep one-way salted hashes of users' credential tokens.
Resources
Recommendations for using ngrok securely
This guide will walk you through recommendations for ensuring you are using ngrok securely.
Best security practices on developer productivity
Learn the best practices to secure developer teams using ngrok while leveraging your company security stack.
ngrok
Trust portal
Learn more about ngrok's security controls. Access our compliance certifications and attestations.
ngrok
Service status
Review ngrok's real-time and historical data on system performance.
Privacy
As a company, we take customer data privacy seriously, ensuring that:
All new vendors, assets and activities pertaining to processing personal data are subject to a review of privacy, security, and compliance.
Personal data is properly collected, stored, and documented.
Relevant processes are followed for transfers of personal data outside the European Union / UK.
For more information, read our privacy policy.
Data Sovereignty
Our customers can use ngrok through our public service or our private offering for complete control of their data and processes. For more information about our private offering, contact our sales team and read our primer about data at ngrok.
Compliance
ngrok is SOC 2 Type 2 compliant.
The SOC 2 Type 2 attestation certifies that ngrok's security processes and operations are in place and that we follow these processes and operations on a daily basis, meeting AICPA's trust services criteria for security.
ngrok provides access to the SOC 2 reports as well as all third party security upon request at the ngrok security and trust portal.
Have security needs like HIPAA? Talk to us
