Your pipeline is part of your attack surface.
We treat it that way.

Security isn't a feature you add later. It's the foundation of every deploy. We bake encryption, isolation, and compliance into the runtime itself.

Read our security posture → Architecture docs

Compliance & Certifications

Built for regulated industries.

We hold industry-standard certifications so you don't have to worry about the paperwork.

SOC 2 Type II

Certified by an independent auditor. We maintain strict controls over access, processing, and documentation.

ISO 27001

Information Security Management System certified. We adhere to rigorous international standards for information security.

HIPAA-Eligible

Our platform meets the technical safeguards required for the HIPAA Security Rule. Perfect for healthcare and life sciences.

GDPR Compliant

Full data processing agreement (DPA) included. We support data residency and right-to-erasure requests.

Architecture

Defense in depth, built into the runtime.

We don't just secure the UI. We secure the execution environment where your code actually runs.

Encryption at Rest: All pipeline artifacts, logs, and configuration are encrypted using AES-256 in our object storage layer.

Encryption in Transit: All traffic between your infrastructure, our runners, and the Launchpad dashboard is secured via TLS 1.3.

Network Isolation: Production runners run in private subnets with no public internet access. They only communicate with your infrastructure via secure, authenticated APIs.

Sandboxing: Each job runs in an ephemeral container with strict resource limits and seccomp profiles, preventing privilege escalation.

Network topology diagram showing isolated runners and encrypted tunnels

Access Controls

Zero trust by design.

We enforce strict identity and access management policies to ensure only authorized users can trigger deployments.

RBAC & SSO

Integrate with Okta, Auth0, or Azure AD via SAML 2.0. Enforce role-based access control (Admin, Maintainer, Viewer) at the organization and environment level.

MFA Enforcement

Multi-factor authentication is mandatory for all users with write access. We support TOTP apps and hardware keys (YubiKey).

Session Management

Automatic session timeouts, secure HTTP-only cookies, and IP allowlisting for sensitive actions like production rollbacks.

Vulnerability Disclosure

We believe in responsible disclosure. If you find a security issue, let us know so we can fix it.

Bug Bounty Program Submit a report →

Security Contact

Talk to the red team.

We perform quarterly penetration testing and annual third-party audits. Full reports are available upon request for Enterprise customers.

Security Team

For security advisories, incident reports, or general inquiries.

security@launchpad.dev PGP Key