Security, Privacy, and Compliance

Working with ngrok means working with a vetted, secure solution & seasoned team who understands security

Security hero

Trusted by over 5 million developers and recommended by category leaders

twilio logoslack logohackerone logogithub logookta logo

Security at ngrok

The ngrok service is designed, built, maintained, monitored, and regularly updated with security in mind. We use the shared security responsibility model, a framework adopted by many cloud providers — including Amazon AWS, Microsoft, and Salesforce — to identify the distinct security responsibilities of the customer and the cloud provider. In this model:

ngrok is responsible for the security of the ngrok service. ngrok is also responsible for providing features you can subscribe to in order to secure your services.
Our customers are responsible for securing how they use the ngrok service. This includes, for example, granting the correct permissions to users and administrators, disabling accounts and auth tokens when employees are terminated, properly configuring features required to protect your data, and keeping ngrok agents updated in our systems.

How ngrok secures its software development process

The ngrok software development lifecycle is designed with precautions to reduce security risks during code development while delivering software functionality. ngrok adopts rigorous processes and automation to ensure consistency across the development.

How ngrok secures its service

ngrok implements runtime controls at the service level to ensure the confidentiality, integrity, and availability of its service.

Philosophy

Our general philosophy for keeping our production environments secure has two main components: defense in depth and principle of least privilege.

Access control

We practice 'least privilege' access grants. Engineers get the minimum level of production access they need. Shell access to production machines uses industry best practices of SSH certificate authorities to grant time-limited access in extraneous circumstances.We keep audit logs of all grants to access production machines. Services that manipulate cloud resources are granted least privilege access grants via an associated 'Role' they assume to perform those operations.

Data encryption

All data is encrypted at rest. This includes databases, host filesystems, network-mounted file systems, and data sent to data warehousing services. All secrets and keys uploaded by users are further encrypted at the application layer with keys that only we control.All internal secrets used by ngrok are stored encrypted at rest with key rotation using industry secret key storage provided by HashiCorp Vault. For API keys, credential tokens, and passwords, we only keep one-way salted hashes of users' credential tokens.

Resources

Recommendations for using ngrok securely

This guide will walk you through recommendations for ensuring you are using ngrok securely.

Learn More

Best security practices on developer productivity

Learn the best practices to secure developer teams using ngrok while leveraging your company security stack.

Learn More

ngrok
Trust portal

Learn more about ngrok's security controls. Access our compliance certifications and attestations.

Learn More

ngrok
Service status

Review ngrok's real-time and historical data on system performance.

Learn More

Privacy

As a company, we take customer data privacy seriously, ensuring that:

All new vendors, assets and activities pertaining to processing personal data are subject to a review of privacy, security, and compliance.

Personal data is properly collected, stored, and documented.

Relevant processes are followed for transfers of personal data outside the European Union / UK.

For more information, read our privacy policy.

privacy illustration

Data Sovereignty

Our customers can use ngrok through our public service or our private offering for complete control of their data and processes. For more information about our private offering, contact our sales team and read our primer about data at ngrok.

Compliance

ngrok is SOC 2 Type 2 compliant.

The SOC 2 Type 2 attestation certifies that ngrok's security processes and operations are in place and that we follow these processes and operations on a daily basis, meeting AICPA's trust services criteria for security.

ngrok provides access to the SOC 2 reports as well as all third party security upon request at the ngrok security and trust portal.

Have security needs like HIPAA? Talk to us

compliance illustration