Data Privacy and Security
The Speakeasy platform is built with security and privacy as no. 1 priorities.
- Principle of least access - All users of the platform and hosted developer portal have accessed scoped to a Workspace. All API keys, access tokens and stored API request logs are scoped to a Workspace.
- Secure Data storage - All API request and response data is stored in ISO/IEC 27001 verified data centers. We use Google Cloud as our primary cloud provider for the hosted offering.
- Secure communication - All network communication is encrypted in transit with SSL/TSL. For data transport we use secure gRPC and for all other APIs we use HTTPS by default.
- Secure access - All access to the Speakeasy web app is done via OAuth2.0. We use Github login and Google Identity Platform as our primary identity provider.
- Telemetry - We log all access to the Speakeasy web app and hosted developer portals including IP address, user agent, time of access and the API endpoint accessed. We use this data to monitor and improve the platform.
- Data retention - By default API request logs are retained for 30 days.
- Key masking - Any request logs sent to Speakeasy can be optionally masked. This includes cookies, headers, query params, auth information or any other keys in the API requests and response logs. See documentation on language specific SDKs for more details.
- Data deletion - All data stored in a workspace Speakeasy can be deleted on request. This includes API request logs, aggregate metrics and any other data stored in Speakeasy.
- Data export - All data stored in a workspace Speakeasy can be exported on request. This includes API request logs, aggregate metrics and any other data stored in Speakeasy.
Self hosting Speakeasy is in preview. Please reach out to us if you are interested in hosting Speakeasy on your own infrastructure or check out our helm-charts repository.
All the security and data privacy features from Speakeasy Cloud apply to self-hosting the product with the notable exceptions of:
- Secure Data Storage - All data is stored in your own infrastructure (either on cluster or in your data warehouse). Data retention, expiry, and deletion is left upto the user of Speakeasy.
- Telemetry - By default we still collect information on user access and system uptime, but this can be disabled by setting the
TELEMETRY_ENABLEDenvironment variable to
falsewhen deploying using Speakeasy helm charts. This achieve a completely airgapped environment.
If self hosting Speakeasy network configuration is left upto the user including DNS configuration, load balancing, and ingress configuration. By default we do not configure any out of VPC resources.
Found a bug or vulnerability?
Think you may have found a security bug? We'd be happy to work with you to explore and resolve the issue -- and to ensure you are fairly rewarded. Rewards will be based on severity, per CVSS (Common Vulnerability Scoring Standard). Get in touch with us at email@example.com to learn more.
Please don't hesitate to reach out to us at firstname.lastname@example.org for any questions on the above!