Security is deeply considered in every aspect of our product, and in every decision we make. Stemming from our company value “Secure by Design,” we made sure that our product was secure from day one, and that our internal policies were secure from the get-go.
Our co-founder and CSO, who comes from the Dropbox Infrastructure Security Team, has built a culture that makes security top of mind for all of us.When you use Fleetsmith, we know you’re trusting us with an incredibly important responsibility. This is our approach to security, and what we’re doing to maintain your trust in us:
Best PracticesWe follow best practices for secure development, including security design reviews, code reviews, unit tests, and integration tests.
CorporateWe don’t believe in the concept of a trusted corporate network. We assume all networks are untrusted, and focus instead on making sure our endpoints (e.g. laptops) are secure. We mandate security on-boarding training for all new hires, which includes setup and training on using a password manager.
Development & ProductionAccess into both development and production environments requires both SSH keys and 2FA. We use Vault for secure secrets management.
Mandatory 2FAWe enable mandatory 2FA for all employees on all services where it is supported. Before deciding to use another third party cloud service, we assess both the type of data that would be stored there, as well as that company’s security practices to make sure they meet our high standards.
Security testing and researchWe believe that security researchers make computing safer and more secure for everyone, and thus we encourage security testing and research on Fleetsmith.
Here are the ground rules:
(a) such research must not be for the purpose of creating competitive or similar products
(b) such research must not interfere with the Services or otherwise impact the reliability, availability, or security of Fleetsmith for other users
c) findings of said research must be disclosed to the Company and follow computer security industry best practices for responsible disclosure.
Potential security vulnerabilities can be reported to us by emailing [email protected]. If you'd like to encrypt sensitive information before sharing it with us, our PGP key can be found below.