Security

Security is our top priority when it comes to your source code. We make sure our infrastructure is protected and secure so that one of your most valuable assets is safe and protected from unauthorized access.

Systems

Your code, depending on which platform or language runtime you're using, runs on virtualized servers hosted in different regions on Amazon EC2.

Your deployments run in an isolated environment. The virtualized servers they're running on are destroyed after each run and are always restored from a snapshot image that has no knowledge of any source code other than the code required to create our deployment environment.

All traffic to and inside of Squash is secured and encrypted with SSL/TLS.

We reserve the right to change the underlying infrastructure of Squash at any time.

Services and Data Storage

We use the following services to run Squash:

  • Amazon Web Services EC2 (security policy) to run all of the components that form the Squash service and to store data like deployment logs, OAuth tokens and user data.
  • Google Analytics to track visits to our website.

We reserve the right to change the services used to run Squash at any time.

Our use of the above services is bound to their respective security precautions and their availability.

Credit Card Data

Squash does not store or receive any kind of credit card data other than a reference token that allows us to create payments with our payments provider Stripe, a PCI Level 1 certified payments provider. Please refer to their security policy for more details: https://stripe.com/help/security.

How does Squash access my GitHub account?

When you sign up for Squash, we collect an OAuth token from GitHub, which allows us to request data from the GitHub API on your behalf. This OAuth token is stored securely in our database and is protected from unauthorized access.

The token is bound to permissions set on GitHub, so please make sure you've read their documentation on access control and API access permissions.

We use this token in these situations, and under no other circumstances than described below.

  • To synchronize the repositories you have access to. We use this information to show you the available repositories on your profile page so you can enable or disable running them on Squash.
  • To configure service hooks on a repository you configure to run on Squash
  • >To generate and store an SSH key on GitHub, which is used to access your source code on your deployment machines. We store this key securely and use it every time we need to start a new deployment on our machines.
  • To access the project configuration file .squash.yml from your GitHub repository.

Under no circumstances Squash writes or modifies source code or Git metadata in your GitHub repositories, source code from your repositories is accessed read-only for the sole purpose of automatically executing the requested deployments.

However, to allow us to automatically specify SSH keys, service hook configurations and commit status on your GitHub repositories, we have to request write access to them.

How does Squash access my source code?

Other than reading your .squash.yml to determine the best deployment strategy, the only time we access your repository directly is when checking out the source code on one of our deployment machines.

Source code is only accessed via SSH, using SSH keys for authentication. Each project setup up on Squash gets its own SSH key, you'll receive an email notification when we add it to your project. This step happens when you set up the project on Squash for the first time.

What data do we store from GitHub?

When you push code to GitHub for a repository that is set up to run on Squash, we get a push notification. The same is true for pull requests that are sent to us.

These notifications don't include any sensitive information other than commit references, names of files changed, and who authored and committed the changes.

We store these deployment notifications for debugging purposes, and for debugging purposes only.

I have more questions about security and Squash

Just send us an email to support@squash.io, and we will be happy to help.