Security is our top priority when it comes to your source code. We make sure our infrastructure is protected and secure so that one of your most valuable assets is safe and protected from unauthorized access.
Your code, depending on which platform or language runtime you're using, runs on virtualized servers hosted in different regions on Amazon EC2.
Your deployments run in an isolated environment. The virtualized servers they're running on are destroyed after each run and are always restored from a snapshot image that has no knowledge of any source code other than the code required to create our deployment environment.
All traffic to and inside of Squash is secured and encrypted with SSL/TLS.
We reserve the right to change the underlying infrastructure of Squash at any time.
We use the following services to run Squash:
We reserve the right to change the services used to run Squash at any time.
Our use of the above services is bound to their respective security precautions and their availability.
Squash does not store or receive any kind of credit card data other than a reference token that allows us to create payments with our payments provider Stripe, a PCI Level 1 certified payments provider. Please refer to their security policy for more details: https://stripe.com/help/security.
When you sign up for Squash, we collect an OAuth token from GitHub, which allows us to request data from the GitHub API on your behalf. This OAuth token is stored securely in our database and is protected from unauthorized access.
The token is bound to permissions set on GitHub, so please make sure you've read their documentation on access control and API access permissions.
We use this token in these situations, and under no other circumstances than described below.
Under no circumstances Squash writes or modifies source code or Git metadata in your GitHub repositories, source code from your repositories is accessed read-only for the sole purpose of automatically executing the requested deployments.
However, to allow us to automatically specify SSH keys, service hook configurations and commit status on your GitHub repositories, we have to request write access to them.
Other than reading your .squash.yml to determine the best deployment strategy, the only time we access your repository directly is when checking out the source code on one of our deployment machines.
Source code is only accessed via SSH, using SSH keys for authentication. Each project setup up on Squash gets its own SSH key, you'll receive an email notification when we add it to your project. This step happens when you set up the project on Squash for the first time.
When you push code to GitHub for a repository that is set up to run on Squash, we get a push notification. The same is true for pull requests that are sent to us.
These notifications don't include any sensitive information other than commit references, names of files changed, and who authored and committed the changes.
We store these deployment notifications for debugging purposes, and for debugging purposes only.
Just send us an email to firstname.lastname@example.org, and we will be happy to help.