System Security

Bintray is hosted in data centers in Dallas and Amsterdam, and is operated by a data center provider that maintains industry-standard certifications. The data center we use for hosting Bintray are Service Organization Controls (SOC) 2 Type II compliant. We are using a hardened OS for all servers. System updates are installed weekly during maintenance time. Firewalls and VPN services are used for blocking unauthorized system access.

Application Security

User password are one-way encrypted in the database using a strong encryption algorythm. All communication with the Bintray front-end and REST API is done over SSL. The code is being reviewed and tested to rule out potential attacks, such as XSS, CSRF, SQL injection and other. We perform penetration tests based on the OWASP recommendations. Tests are performed by 3rd party companies specializing in web application security.

Employee Access

Bintray servers can be accessed only by authorized JFrog employees. Access is done using SSH via a secure VPN channel and authentication is done using identified passphrase-protected keys. All system access is logged for auditing purpose. JFrog employees may access private repositories if required to for support reasons. JFrog Support staff may sign into your account to reproduce issues related to your support ticket.

High Availability and Redundancy

Bintray was designed as a highly available service and has multiple levels of redundancy built in. The service is hosted in multiple data centers, service components, including front-end and download servers have multiple, redundant active cluster instances. Communication is load-balanced with failover logic in case of a failure. Databases are actively clustered on multiple physical machines, with multiple backup copies of data. Artifacts are stored in a highly available object storage. Files are written multiple times per cluster, with auto-healing capabilities in case of storage failure.

Backup Policy

Besides managing multiple copies of each artifacts in the objectstore we have an ongoing, secure backup of artifacts to a secondary off-site objectstore hosted by a different data center provider, that is also SOC 2 compliant. Databases are backed up daily, and are securely copied to the different data center provider.

Credit Cards

We do not store any credit card information on our servers. Payments are handled by Zuora, an industry leading ecommerce platform supporting billing, commerce, and finance operations. Zuora maintains the following types of compliance and certifications: PCI, SSA16 SOC 1 Type II, HIPAA, Safe Harbor, Trust E, 2-factor authentication, SSO, SkyHigh security seal. For more information please see the Zuora website and Zuora’s privacy statement.