Built to be on your critical path.
When your infrastructure depends on ngrok, our security is part of yours. We treat it that way.
Visit the Trust CenterTrusted by security leadership around the globe
We operate with defense in depth and least privilege.
Together, they prevent any compromised component from taking down the whole system.
Data at rest
All databases, filesystems, and data warehousing are encrypted at rest. Secrets you upload are further encrypted at the application layer with keys only we control.
Data in transit
Agent-to-edge connections use TLS 1.2+. Endpoints get HTTPS with automatic certificate provisioning. For stricter requirements, configure end-to-end encryption so ngrok never terminates TLS and only sees ciphertext.
Network architecture
ngrok separates its control plane from its data plane. The control plane handles account configuration and API requests from a US-based AWS region. Regional data planes route traffic through global Points of Presence. Pin to a specific region to meet data residency requirements.
Least-privilege production access
Engineers get only the access they need. Shell access uses SSH certificate authorities for time-limited grants, every grant is audit-logged, and services assume least-privilege roles scoped to each operation.
Change management
Every change is automatically scanned for CVEs, syntax errors, and outdated dependencies. Nothing merges without passing automated tests and a human code review. Deployments and infrastructure changes are fully automated.
Developer access
MFA on every account, SSO for vendor apps, and automated credential rotation. Dev machines require full disk encryption. Every vendor gets a thorough security review before adoption.
Secrets & credentials
Internal secrets are stored in HashiCorp Vault with automated key rotation. For API keys and credential tokens, we only keep one-way salted hashes—never the originals.
Shared responsibility model
A shared responsibility model splits security obligations between the platform and the people using it. The platform secures the infrastructure; you secure how you configure and use it.
Our responsibility
ngrok secures the ngrok service and provides the features you need to secure your own services.
Your responsibility
You're responsible for securing how you use ngrok—granting correct permissions, disabling accounts when employees leave, and keeping ngrok agents up to date.
We then give you security controls for your traffic, too.
ngrok sits in the path between your users and your services, giving you the power to enforce security policy at ngrok's cloud—before requests reach your infrastructure.
Traffic controls
Traffic Policy
Write declarative rules that inspect, verify, transform, rate-limit, or reject requests at the edge, not in your application code.
Authentication at the edge
Enforce OAuth, OpenID Connect, SAML, JWT validation, or mutual TLS on any endpoint, or allow/deny traffic by IP address or CIDR range. ngrok rejects unauthorized requests before they touch your services.
Region pinning
Pin domains to specific Points of Presence so HTTP/HTTPS traffic is processed only in the regions you choose—a practical path to data residency for GDPR and similar requirements.
Account governance
Identity and access
SSO with your identity provider, SCIM provisioning, role-based access control, and Account Domain Controls to route every user on your domain into a single managed tenant.
Credentials and agents
Service users for automation, scoped authtokens per agent or deployment, and access control lists to restrict where agents connect and what they create.
Audit logging
Every configuration change, authentication event, and API call is logged. Stream events to your SIEM or query them directly through the Event Store and event subscriptions.
A security review won't slow down your launch.
We've done the compliance legwork already. The audits, attestations, and documentation are ready when you need them.
SOC 2 Type 2
ngrok is SOC 2 Type 2 compliant. The attestation verifies our security processes are documented, followed daily, and meet AICPA's trust services criteria. Reports are available on request.
HIPAA & BAA
ngrok supports HIPAA-compliant deployments and will sign a Business Associate Agreement. If you handle protected health information, talk to us about your requirements.
GDPR & data residency
ngrok is GDPR compliant and supports data residency for organizations with regional requirements. We publish both our Data Processing Agreement and sub-processor list for review.
EU-US Data Privacy Framework
ngrok participates in the EU-US Data Privacy Framework, the mechanism that makes transatlantic data transfers legal. This is verified independently of our GDPR compliance.
CCPA
ngrok is CCPA compliant. We don't sell or share personal data.
Annual penetration testing
An independent firm tests our infrastructure and applications every year, with critical findings remediated before the engagement closes.
We actively fight abuse.
ngrok is a tunneling tool, and tunneling tools attract bad actors. We don't ignore that. Automated systems flag suspicious activity in real time, a dedicated team reviews and bans abusive accounts, and we work with third-party security vendors and ISPs to take down phishing and malware campaigns. Report abuse to abuse@ngrok.com or through our abuse APIs.
How we combat abuseReport a vulnerability
Found a security issue in ngrok? Report it to security@ngrok.com. We acknowledge every report and work with researchers to resolve issues before disclosure.
Have questions about security or compliance?
We're happy to walk through certifications, controls, or enterprise requirements.