Security and Compliance

At Cypress, security is our top priority. Cypress knows your data is very sensitive, which is why we leverage enterprise-grade security features with regular audits of our applications, systems, and networks to ensure that you can trust the infrastructure that hosts the systems we know they rely upon.

Report a Security Issue

The Cypress Test Runner is an open source tool for testing anything that runs in a browser. The Cypress Test Runner records test results to the Dashboard Service, a commercial offering that aggregates the test results from the Test Runner. Customer security and privacy is the highest priority for Cypress.

The success of our customers is core to our business, and the trust and confidence of customers that rely on Cypress is of the utmost importance to the Cypress.io organization.

Compliance

  • Customer security is the highest priority to Cypress. To ensure that Cypress provides customers with the highest levels of quality and security of services, Cypress performs audits and maintains SOC2 Type 1 compliance.

  • The SOC2 Type 1 report is an independent audit of the controls relevant to security, availability, and confidentiality put in place by Cypress. SOC 2 compliance is a component of the American Institute of CPAs (AICPA)’s Service Organization Control reporting platform.

SOC2 badge

Security Disclosures

If you believe you've found a potential security issue, we want to ensure the correct members of our team are alerted as soon as possible.

  • Please do not post it in the issues.

  • Please email Cypress security directly at [email protected].

  • The Cypress implementation around the area of email spoofing, DKIM, SPF, and DMARC records is according to design. If you discover an issue pertaining to one of the follow areas, please do not hesitate to report it:

    • Injection vulnerabilities

    • Authentication or session problems

    • Improper access to sensitive data

    • Broken access controls

    • Cross-site scripting

    • Anything from the OWASP Top 10 List

  • If you do discovery a vulnerability, we ask that you act in a manner to protect our users' data and work with us to close the vulnerability before disclosing it to others.

Infrastructure Security

  • Cypress hosts all services on Amazon Web Services (AWS) facilities in the USA. AWS operates a shared security model and provides an extensive list of certifications, including SOC2, PCI-DSS, and ISO27001.

  • All connections to Cypress services are encrypted using at least TLS1.2, with the latest high-grade ciphers. Cypress maintains a grade "A" rating from Qualys' SSL Labs for service endpoints.

  • All customer data is encrypted at rest and during transit.

  • System passwords are encrypted using AWS KMS with restricted access to specific production systems.

  • Infrastructure access and authorizations are provided on a need-to-know basis, and based on the principle of least privilege. Access to the AWS production system is restricted to authorized personnel.

Development Security

  • As a part of the SOC2 certification program, Cypress maintains security policies.

  • All policies are updated, communicated, and approved by management annually as a part of the SOC2 audit.

  • All new employee hires must pass a background check.

  • All employees participate in security awareness training. Engineers receive additional security training covering the OWASP Top 10 security issues.

  • The Cypress software development lifecycle (SDLC) provides a framework for the security creation of high quality code.

    • Code reviews are a part of all new feature development. No piece of code is merged without a code review.

    • All development phases have unique hosting environments in unique accounts to ensure no overlap with production.

  • Communication with the SCM (source code management) system is always encrypted using SSH.

  • No secrets are permitted to be stored in the SCM (source code management). All secrets are stored in the environment-specific secrets management system. Secrets are only retrievable by the environment-services.

  • All services used by the Cypress.io organization, such as AWS or Google Apps, leverage multifactor authentication (MFA) to ensure systems remain secure.

Network Security

  • Cypress performs daily automated vulnerability scans of the hosting infrastructure.

  • Cypress employs an intrusion detection system, with immediate alerting, for the monitoring of all infrastructure access.

  • Cypress network layers are built upon a multi-tiered platform, composed of a DMZ, trust zone, and database zone.

  • Cypress network access security is protected by a bastion host, whitelisted known IP addresses for accessing that bastion, and AWS Security Group based firewalls.

  • All data in transit is encrypted via TLS and SSH.

Service Availability

The status of Cypress services is available publicly. The Cypress system status webpage includes system availability details, along with scheduled maintenance, service incident history, and relevant security events.

Security Incident Response

  • As a part of the Cypress Incident Response policy, the incident response team responds to all security incidents.

  • The incident response team maintains runbooks to facilitate decision making and ensure smooth incident handling.

  • Security incidents are published on the Cypress system status webpage as well as communicated directly to our paid customers.

FAQ

What does Cypress store and what is it used for?

  • The Cypress Dashboard stores what is required for a user to log in, specifically their email address. Only the email addresses of users from an organization who have signed up for the Dashboard Service are stored within the database.

  • The Cypress Test Runner records test results when initiated by the user and sends those results to the Dashboard Service. The test result data stored in the Dashboard is only for the eyes of the customer recording the data. At no time does customer data get sent to third parties nor is it used by members of the Cypress.io organization.

  • For the purposes of capacity planning, Cypress does track the number of test results recorded by each customer.

What backup and recovery procedures are in place?

  • Data backups occur daily.

  • 35 days of backups are saved.

What type of information does Cypress receive from customers?

  • Screenshots, screen recordings, and application logs of test runs of the Cypress Test Runner application.

  • Basic GitHub information of the git commit related to the test run such as GitHub username, git commit ID, and git commit message.

Is there data encryption in place?

  • All data is encrypted in-transit.

  • All data is encrypted at-rest.

  • Encryption keys are not retrievable.

  • Key custodian/management responsibilities are held by the DevSecOps team.

In the event of a disaster, what is the estimated time for resumption of the Services?

  • The Cypress RTO (Recovery Time Objective) is 24 hours.

  • The Cypress RPO (Recovery Point Objective) is 24 hours.

Has your company ever experienced a security breach involving client data?

No. Cypress has never had a security breach.

Does your company store confidential information on removable media?

Cypress does not use removable media to store or transfer data.

Does Cypress perform internal penetration tests to avoid potential security threats?

Cypress performs penetration testing of all hosted services annually. Cypress performs daily vulnerability scans of all hosted services.

Does Cypress need access to a customer's network or systems?

The Cypress Dashboard services do not need access to the customer's network. The Cypress TestRunner operates internally on a customer's network and then, optionally, sends test results to the Cypress Dashboard. The only thing sent to the Dashboard is what the customer chooses to send. At no time do the Cypress Dashboard services reach in to the customer's network.

Does Cypress use unencrypted HTTP?

All Cypress traffic is transmitted over TLS1.2 encrypted HTTPS with the latest industry-standard ciphers.

Does Cypress use unencrypted FTP?

No part of the Cypress services or the Cypress organization use FTP, unencrypted or otherwise.

Does the Cypress Dashboard include support for RBAC (Role Based Access Control) ?

The Cypress Dashboard includes support for three types of roles: Owners, Admins, and Members.

Members Can see projects, runs, and keys for an organization.

Admins Have the power of Members, but can also manage users and billing for an organization.

Owners Have the power of Admins, but can also transfer or delete projects.

Does the Cypress Dashboard support Single Sign-On (SSO)?

The Cypress Dashboard has support for federated user-authentication from: Google, GitHub, or SAML2. SAML2 is supported as an add-on to any of the paid pricing plans.

Will you be storing, processing, or transmitting personal information?

  • No PII (personal identifying information), or PHI (personal health information), is intentionally stored by Cypress. Cypress only stores the results of tests.

  • Cypress operates with a shared responsibility model. Cypress stores data safely and securely and Cypress trusts customers not to record data that should not be recorded. For example, if a customer were to use Cypress take a screenshot of a SSN, or some other PII, then there is nothing we can do to stop the customer from doing it.

  • Cypress does take every precaution to ensure that all data stored is encrypted and not accessible except by the party which stored it.

Where is Cypress data stored?

Cypress hosts all data in AWS (Amazon Web Services) in the West Virginia, USA (us-east-1) region.

Are customers permitted to perform security testing against staging or production environments?

Security testing by customers is not permitted. Cypress performs an extensive sets of internal security tests to ensure that all customer data is secure.

Does Cypress operate a bug bounty program?

Cypress does not operate a Bug Bounty program. In the event that a third party discovers a vulnerability, please disclose that information through [email protected]. Please do not submit vulnerabilities through the public issue tracking on GitHub.

Do you conduct external penetration test at a regular interval?

Cypress performs penetration tests annually as a part of our compliance program.

Has Cypress experienced a security incident within the last 3 years?

Cypress has not experienced any security incidents.

Have more questions? Contact us.