Fleetsmith security


Security is deeply considered in every aspect of our product, and in every decision we make. Stemming from our company value “Secure by Design,” we made sure that our product was secure from day one, and that our internal policies were secure from the get-go.


Our co-founder and CSO, who comes from the Dropbox Infrastructure Security Team, has built a culture that makes security top of mind for all of us.


When you use Fleetsmith, we know you’re trusting us with an incredibly important responsibility. This is our approach to security, and what we’re doing to maintain your trust in us:

Product security

We follow best practices for secure development, including security design reviews, code reviews, unit tests, and integration tests.


Infrastructure security

Corporate

  • We don’t believe in the concept of a trusted corporate network. We assume all networks are untrusted, and focus instead on making sure our endpoints (e.g. laptops) are secure.
  • We mandate security on-boarding training for all new hires, which includes setup and training on using a password manager.

Development & Production

  • Access into both development and production environments requires both SSH keys and 2FA.
  • We use Vault for secure secrets management.

Third party security

We enable mandatory 2FA for all employees on all services where it is supported. Before deciding to use another third party cloud service, we assess both the type of data that would be stored there, as well as that company’s security practices to make sure they meet our high standards.


Security audits

We perform gray box penetration testing regularly on our web front-end, our backend services, our agent, and our infrastructure. These assessments are completed by respected third-party security firms.


Security research

We believe that security researchers make computing safer and more secure for everyone, and thus we encourage security testing and research on Fleetsmith. Here are the ground rules: (a) such research must not be for the purpose of creating competitive or similar products; (b) such research must not interfere with the Services or otherwise impact the reliability, availability, or security of Fleetsmith for other users; and c) findings of said research must be disclosed to the Company and follow computer security industry best practices for responsible disclosure. Potential security vulnerabilities can be reported to us by emailing security@fleetsmithhq.com. If you'd like to encrypt sensitive information before sharing it with us, our PGP key can be found below.


-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFgZEFoBEADwI2QvATE4KB+1dmP33UV/JpVoUbaZGhTFDDQIubInaw7lcC9a
TJkTxShcmubgQRDb3+t2wJn2+olfp4ji+Ii8dgKSq0lOTT+e/UB04S/5TvBT9oLC
uwF9j1OVTzwXWq2DvaL5M3ietua9lxBSuD4zdL4QEyuBDtZv/RgQAAncUACy1l+C
UJnW9x95fcArr7hh86bb6KQYUKf/0d2l1S52FqQ4um89WwAYqTFdEb0O6m8wdHBf
KZu6I0WOgNutTAPQBnBixVz9Zg/tKol7vsYkwiusLG7Wy/O6US94wcM/sYL3/EOU
c9ukWRoT1IjTOUnPHfOUUkx540YvISLl56fEWTW7ALXKa4e4Y4AgNHrE0tCfs6wo
NJZtc6DoYU2aDD6/sbul5fVk33Dhc9cM2rKMSgyslvm8NmnRdyBeoEhiDfBYmRp5
EvbnDQUCsCE0nim+6lP/MVRy6EDjFBXZ2i4gphra22tar56XviXXlQvoBcyZz9Rh
qxKB2YEtZRdrxZm0QD2DM9jZSrhqOMzQVDH5sda3ygwfegbU9jHX9jHSqLMjjutA
03XWzraIPRs7ly+YI2uRdvQ2KUC46h50djGQIDKdCyBKrehrITzMK7WvkaVCzmXs
ER+DppBBl+56NqIE59oHTOKeNrFeO1qFMxFb+j325EFcgCMJW+ET7f1I+wARAQAB
tC9GbGVldHNtaXRoIFNlY3VyaXR5IDxzZWN1cml0eUBmbGVldHNtaXRoaHEuY29t
PokCPwQTAQgAKQUCWBkQWgIbAwUJB4dxAAcLCQgHAwIBBhUIAgkKCwQWAgMBAh4B
AheAAAoJEEmxmzsSk7/HkVMP/jYnvwf9dhIVfWUJ11GwjQlL3/KjyhDHa/eHRrvk
7XC60fzcEbSEcayFtYLXsZfnrsd6tDtMgdMhGSkHdO3NXwel+kloMAx8UjEQKySg
V01/gBMGoHhbIx8MoDpmvT2YYZSZ5uZdQS3Rav7N/cETuVEQbYXTczq4l2yh+hk6
rTS7Lm9xA6ijJatZAQTUYQ6t6DxRpeW29nl/w3KO1KHAXRWJ7Uy1AskjxFMpJBej
aio/2dGEIBhZYXNrWJcn1ipm7KPjPKaHov4X5dOhOHJb79zXMxisfqZuXPWdBjbR
VhG2K4D7DfkOxRNySa0TiqXEcEwjI8YS0aHg6VVcz0pD0BaPcqWPP7vJEWtez1yB
CpCHl59HEeroEytOZF6o3Enllc8fUzyn4cq6RGiS/7WYD+4jFIJzec7C8t9WZfcW
DB8xSzztQ8s2saKDMaq6BL72fsG83xai3Vqy0Qw0OcOomCqJaNX+MKpnsbiCtqmi
rvX3Hjjo9KF0KejvU6E1OJny5ZbpHl8D+1M+PaUJ+itVkk2AifFBuW+mvXJ05HtF
6p/b4IpMwZ3vUaL4cav2U1WcOx8kqYz9/As66oWfn3uy7ThaUnI5E+1dK5t+uYaY
a20pmv/jzoq7FmErfFA9ZR/FtWE6NxrwyRq2xuJqt04591QfGrBIcLifAnXwV3t5
uSTzuQINBFgZEFoBEAC94Gs8dWPhJRW/0Xr+o0L8TH1boGjh8qC58yYiQ6wcp0vH
LVs8djnzauS5dyaF1wQwMJMDzpV63abGlssm5YxAEzgtJB0wm1wWddQyC0XdEviU
7Od79ncsNryVlmrOgQPXNLe//mQU5tK3p7nWtGia4UzgUlVb4XdC+97RR5c1GQy5
YH82EdsMiDmkNfFi2a6RKy2YqpZxw8vHZCx7CXxSneUM//bMNA9HZZ5proZ9M04N
124xs+kJhGM1WSkrPaGy8NL7DgLOePQZ8yOiEllnV0eKtyWBtjuaSl6XH4QkF14D
v9ZqmLiN8MireWUSftDH4nFv5i36295Q7QU0mgK1Jlw722DQV4INCp9yzKStkg3J
FENGiapVglkmyGdb94dm2OtmwD3vNoX+Zi1/kZWE5pRYa9EpiJXTulMf2mP09RHU
pkQeLqYkFaXjHOq26ybpZlXhxIXsZLsV5qdWSQNeJR1BL2Wf+VGr04C5NmunX0nL
QIixnSjqRwfsG8e+3YhJxIRLGZEtU8aYarbrmf56ibklNHVhfCJHhOdgz+5ldl1U
47L+2tw5y9ntEHUuXGnFiQAMplF9o4i0pyiPB9NDLL7yLLSLIdgmP32flV2YHbOb
Hb9W+ZtDuehfFPcEgwUHj+FuAgWZ5jRWBwwFfT4VxycxNaKYGnYPuJWjmleZBQAR
AQABiQIlBBgBCAAPBQJYGRBaAhsMBQkHh3EAAAoJEEmxmzsSk7/HEREP/jQwNaOB
HlTzxrEwvlMFUT/7kenexe0LpEifJLUkQnaftwhdVdFzUS4itsSR6aUTIA6CMRp+
PeH3OMQCewKuy6JnWik7fZQgSZpW3K5hVfJ2txRyB8KK/unxPMFD07rZI23EQUX7
uHJtfOz/IZu/ESj/46DoBTkk+VZOw2aqOswjLzAI8NO6x84FK/jFcGlsX7p5kyyi
ZwlVYYAJ8UcQ68f3OP+erztPO6J2C9QZi4iVHooLZeciAw90WVSAv+dyEmZg/OvX
PhMe3GB2UnnBQZr7+lAOJBkpInPAp9Ol80Ht6482KyPpKnrmZek6c44rEVO5PKap
2nSpDq0eqQsxtFivFZ7Ittf1QmYIr9VFvQzrEw2nJJrshCkwCgDecjk1/8ldMKkH
qI6Pk7M2XC8QYjwhctcLq5OsO0no0LjW2okNxnIfOjvJTLKO+TFx4D9HulKxBT0b
eaUVFviXnzmRXFeoVj0weXKhK8mZ9Cvtd6OLPf4xG8ToESgr6Ri5k452N7fSh/X9
fPyq3KR/U03GBk1Dr2r68jz5+X5ZdS+JYogySbspFjPH0wtlyv9BqrHM1WfQqbTQ
YgOgCSljUV0oTYisDdAGS/EAXbodj/8ojkb9+7iPtHeg7YaGwc9ny5zQkzFj4rPh
c/8qjPcrlPl1HpoitsZOxmNrVxpj05+w6ZTm
=sO14
-----END PGP PUBLIC KEY BLOCK-----