# Resources > Security # Security Overview > **Info:** Security is of paramount importance to us. If you have any questions or concerns, please [contact us.](/contact/) ## Supply Chain Security Artillery.io uses a software development process centered around continuous integration, deployment and verification, with security effort applied throughout the development and release cycle. We use a number of security best-practices to ensure security in our development and deployment processes: * **MFA** and **single sign-on** is used and enforced across all services we use and depend on * We use **CI** (and **CD** where appropriate), with **protected** main/deployment branches * Static **security analysis and scanning** of application and infrastructure code, libraries and other dependencies with automated alerting * **Centralized logging** for auditing and alerting * **Infrastructure as code** with all infrasttructure & configuration changes going through CICD * AWS best practices: **Assume Role** for access to AWS resources, with **CloudTrail** logs for auditing. AWS **Audit Manager** and **Security Hub** for continuous verification of our configuration against industry standards: * AWS **Foundational Security Best Practices** v1.0.0 * CIS **AWS Foundations Benchmark** v1.2.0 We are actively working on expanding the list of security benchmarks for our systems. * We use an **MDM** solution for endpoint security on all employee and contractor devices * All customer and user data is stored and processed by third-party suppliers (see [Vendor Security](#Vendor-Security)), subject to industry-standard security & compliance processes Questions? Please [contact us](/contact/) with your inquiry. ## Solution Security ### Artillery CLI #### Product Security Security of Artillery when running in a customer's cloud environment is of utmost importance to us. Explicit design and architectural decisions have been taken to minimize risks and introduce no additional attack surface, such as: * No inbound connections from the outside are possible to any Artillery components deployed in a customer's cloud environment * No changes to firewall, security group, or WAF configurations are required to deploy and use Artillery * Artillery uses industry-standard mechanisms (e.g. AWS CloudFormation on AWS), with deployment mechanism and configuration being auditable * Artillery components running in a customer's cloud environment use **IAM roles** with access rules based on **least privilege** principles, and strictly scoped to only access the resources/sub-resources required for Artillery's functionality #### Data Security Artillery is a self-hosted product which means that *by design* Artillery employees or contractors **have no access** to the following (but not limited to) user data: * IP addresses or hostnames of systems being tested, whether internal or external * Geographical location of those systems * Any static or dynamic data used by the tests, such as usernames, API keys, passwords, names, etc * Test scripts and definitions themselves, including any YAML/JSON files and custom JS code * Any other test metadata and configuration * Any other personally identifiable information (PII) ### Artillery Cloud Artillery Cloud is a managed service that provides reporting, collaboration and analytics functionality to users of the Artillery CLI. We use a number of industry best practices to ensure the security of the Artillery Cloud service, such as: * Regular pentests conducted by an third-party security firm * Use of MFA and single sign-on for access to all production and development environments * AWS account, VPC and security group segmentation for all components of the Artillery Cloud service * Audit logging and monitoring of all access to all Artillery Cloud components, with enforcement of least-privilege access controls * Encryption at rest for all data stored by Artillery Cloud * Regular security training for all Artillery employees and contractors All customer data resides in the `eu-west-1` region of AWS, and is not transferred to any other region or third-party services. ## Physical Security Artillery.io production and development infrastructure is hosted in Cloud Service Provider (CSP) environments. Physical and environmental security related controls for Artillery.io servers, which includes buildings, lock, and key security, are managed by those CSPs. See [Vendor Security](#vendor-security) for more details. ## Corporate Security Transport level security for network access is enforced for all services Artillery.io depends on (internal and external). Users are authenticated by way of a central identity provider with use of single sign-on and multi-factor authentication (including the use of physical MFA tokens where possible). ## Vendor Security Artillery.io leverages a number of third-party applications & services to support the delivery of our products to customers. Our key subprocessors are listed below: | Vendor | Residency | Type of Service | | ----------------------------- | -------------- | ------------------------------------ | | Amazon Web Services, Inc | United States | Cloud infrastructure | | Astrodon Inc (Loops) | United States | Marketing & transactional email | | Google LLC (G Suite) | United States | Email and office applications | | GitHub, Inc | United States | Internal collaboration | | Datadog, Inc | United States | Monitoring, logging and analytics | | PlanetScale, Inc | United States | Data hosting | | PostHog, Inc | United States | Product analytics | | Sentry, Inc | United States | Error tracking | | Slack Technologies, Inc | United States | Collaboration | | Stripe, Inc | United States | Payment processing | | Vercel, Inc | United States | Cloud infrastructure |