Security
Shape does not copy, cache or store any data from your database.
When you run a query, Shape runs the query directly in your database, and send the results to your browser. Results are never store anywhere in Shape's systems.
Shape's infrastructure runs exclusively on Google Cloud Platform. Servers are hosted in the US in data centers that are SOC2 and ISO 27001 certified. Using GCP ensures physical security of Shape servers and ensures that our hardware and operating software are up-to-date with the latest security patches.
Shape's databases reside in private subnets, and have only private IP address, making them inaccessible from the public internet. Connecting to Shape's databases requires SSL with a client certificate - all other connections are rejected. All databases are encrypted at rest and are backed up daily with a 7-day retention window.
Shape stores secrets required to connect to your databases. In addition to the database's encryption at rest, these secrets are also encrypted using Google's Key Management Service. All encryption keys are rotated weekly.
Shape's web-application, and all our APIs, enforce HTTPS on all connections, and data in-transit is encrypted with TLS 1.2. All logins are completely passwordless, requiring either SSO via Google or an emailed magic-link.
All production servers are tightly firewall-ed and disallow all traffic except HTTPS traffic. Code-deploys can occur through our CI/CD pipeline, orchestrated through Google Cloud Build. All logs are collected centrally and stored by Google Cloud Logging.
Last modified 8mo ago