Security at ngrok
The ngrok service is designed, built, maintained, monitored, and regularly updated with security in mind. We use the shared security responsibility model, a framework adopted by many cloud providers — including Amazon AWS, Microsoft, and Salesforce — to identify the distinct security responsibilities of the customer and the cloud provider. In this model:
How ngrok secures its software development process
The ngrok software development lifecycle is designed with precautions to reduce security risks during code development while delivering software functionality. ngrok adopts rigorous processes and automation to ensure consistency across the development.
How ngrok secures its service
ngrok implements runtime controls at the service level to ensure the confidentiality, integrity, and availability of its service.
Our general philosophy for keeping our production environments secure has two main components: defense in depth and principle of least privilege.
We practice 'least privilege' access grants. Engineers get the minimum level of production access they need. Shell access to production machines uses industry best practices of SSH certificate authorities to grant time-limited access in extraneous circumstances.We keep audit logs of all grants to access production machines. Services that manipulate cloud resources are granted least privilege access grants via an associated 'Role' they assume to perform those operations.
All data is encrypted at rest. This includes databases, host filesystems, network-mounted file systems, and data sent to data warehousing services. All secrets and keys uploaded by users are further encrypted at the application layer with keys that only we control.All internal secrets used by ngrok are stored encrypted at rest with key rotation using industry secret key storage provided by HashiCorp Vault. For API keys, credential tokens, and passwords, we only keep one-way salted hashes of users' credential tokens.
Recommendations for using ngrok securely
This guide will walk you through recommendations for ensuring you are using ngrok securely.
Best security practices on developer productivity
Learn the best practices to secure developer teams using ngrok while leveraging your company security stack.
Learn more about ngrok's security controls. Access our compliance certifications and attestations.
Review ngrok's real-time and historical data on system performance.
All new vendors, assets and activities pertaining to processing personal data are subject to a review of privacy, security, and compliance.
Personal data is properly collected, stored, and documented.
Relevant processes are followed for transfers of personal data outside the European Union / UK.
ngrok is SOC 2 Type 2 compliant.
The SOC 2 Type 2 attestation certifies that ngrok's security processes and operations are in place and that we follow these processes and operations on a daily basis, meeting AICPA's trust services criteria for security.
ngrok provides access to the SOC 2 reports as well as all third party security upon request at the ngrok security and trust portal.