This Security Policy outlines the measures we take to protect you and your stakeholders when you use LayerCI (the “Website”).

Layer helps you pass security audits

LayerCI's core goal is to give our users a systematic way to evaluate the quality of their code. To pass security audits (such as SOC 2 Type II), you can use LayerCI as a core system to ensure systems and performance are consistent.

By leveraging our industry-leading caching system, you can populate a database with an anonymized dump of production data in seconds at the beginning of your LayerCI pipelines. This allows you to ensure that proposed changes will maintain data integrity and pass any necessary security gates.

Layer lets you integrate with any software that you want, so it's easy to integrate us with industry-leading security scanners such as Snyk, Vectrix, and SonarQube


The data we store

Personally Identifiable Information

We store certain Personally Identifiable Information when you register for LayerCI. This information consists of:

  1. Your full name
  2. Your phone number (for billing purposes)
  3. Authorizations to perform actions on your behalf on our integration partners (e.g., GitHub and Slack)
  4. Your Emails (which we use for support & marketing, in an opt-out manner)
  5. A link to your avatar (hosted on a third party site)
  6. Metadata such as the pages you visit and the actions you perform on the Website

We do not store any passwords or password hashes. Authentication is done entirely through third party providers when you log in.
We do not store any payment card information. Our payments are processed by Stripe, a PCI-compliant payment processor.

Source code

From the point that you install Layer to the point that you uninstall it, we may store a locally cached copy of any repositories for which you request we start CI runs for.
This local copy is only accessible by authorized employees of LayerCI, and our hosting provider.

Secrets

LayerCI allows you to store secret values in a special section of the run dashboard and expose them with the SECRET ENV directive.

These secrets are encrypted at rest with military-grade AES256. They are only accessible by administrators of your LayerCI account and authorized employees of LayerCI.

Staging servers

Staging servers exposed through EXPOSE WEBSITE have no authentication mechanism built-in, besides the unguessable URL link. It's your prerogative to ensure that no sensitive data is exposed inadvertently by posting a link to the staging server, or creating a route to the staging server.

To maximize safety, we recommend not putting any sensitive information on any server exposed by EXPOSE WEBSITE.

Staging servers which are not exposed by any LayerCI directive are not accessible except for by agents which you authorize to access your repository. We ask your SCM provider (e.g., GitHub, BitBucket) whether a specified user has access to a repository to determine if they should have access to a staging server.

Authorized employees

Only authorized employees of Layer are given access to our production servers. These employees are senior engineering leaders and executives of Layer Devops Inc, which have been thoroughly vetted.

Our hosting provider

We run our entire stack and store all of our data on resources provided by OVH, a multinational cloud provider.

Our hosting provider has the following certifications:

  • ISO 27001
  • SOC 1 Type II
  • SOC 2 Type II
  • CISPE
  • PCI DSS
  • EBA
  • HIPAA & HDS