Data Safety & Integration Security Overview

Data Safety & Integration Security Overview

Our integrations are designed to process customer data securely, transiently, and with minimal footprint. Built on Google Cloud Run and aligned to OWASP principles, we encrypt data in transit and at rest, tightly control access, and continuously monitor for issues. Security is an evolving landscape; we regularly review and refine our controls, dependencies, and operational practices to address emerging threats and industry best practices.

Scope and guiding principles

• We build and run integrations on Google Cloud Run with security-by-design practices grounded in OWASP guidance.
• We minimise data handling: process only what’s required, keep it transient, and avoid storing customer data unless explicitly required for a feature.
• Access is granted on the principle of least privilege and is reviewed periodically.

Encryption and Data Handling

• In transit: All traffic to and from our services is encrypted using TLS (Cloud Run-managed HTTPS). Service-to-service calls also use TLS.
• At rest: Platform-managed encryption for all underlying storage on Google Cloud. Where applicable, we can support project-level controls (e.g., CMEK) if required by the customer.
• Data handling model: We treat customer payloads as transient. Requests are processed in-memory, then discarded. We do not persist customer data in application storage unless there is a clear, agreed requirement.
• Configuration data: “My Glue” settings and any configuration artifacts are encrypted in transit and at rest.

Authentication Models

• OAuth 2.0: Used where integrations connect to SaaS platforms that support OAuth. We request only the minimal scopes needed for the integration.
• API keys: Supported for platforms that rely on key-based access. Keys are stored as secrets and never committed to source control.
• Service accounts: GCP service accounts are used to run Cloud Run services and to access GCP resources with narrowly scoped IAM roles.
• Key rotation: Secrets can be rotated via Google Secret Manager and our configuration management workflow with minimal/no downtime.

Environment Security and Secret Management

• Runtime environment: Services run on Google Cloud Run (containerised), benefiting from Google’s managed isolation, automatic HTTPS, and per-revision immutability.
• Secrets: Managed primarily through Google Secret Manager; additionally, select encrypted configuration values are stored in My Glue settings (encrypted in transit and at rest). Secrets are fetched at runtime and are not baked into images or code.
• IAM: Access to secrets and runtime resources is controlled through IAM roles bound to service accounts with least-privilege permissions.
• Network controls: We can restrict egress, use private outbound connectivity, and limit ingress where required. Default deployments use Cloud Run’s managed endpoints over TLS.
• Supply chain: Dependencies are pinned and reviewed; CI enforces linting/type checks and runs security checks for known vulnerabilities where applicable.

Penetration Testing and Vulnerability Management

• Pen testing: We do not operate a dedicated in-house penetration testing program. Integration Glue (the hosting provider for our apps) conducts testing at the platform layer.
• Secure development lifecycle: We apply OWASP-aligned practices, threat modeling for new integrations, and peer code reviews with a focus on security and data minimisation.
• Vulnerability response: We track advisories, update dependencies, and patch containers as needed. Critical issues are prioritised for expedited remediation.

Logging, Traceability, and Monitoring

• Application logs: Structured logs are sent to Google Cloud Logging. Logs are scoped to the minimal level of detail needed for operability and troubleshooting.
• Error monitoring: Sentry is used for error reporting and alerting. We aim to avoid logging sensitive payloads; Sentry events are scrubbed to remove obvious identifiers where feasible.
• Correlation and tracing: We include request identifiers in logs to aid troubleshooting without exposing sensitive data.
• Retention and access: Log access is restricted via IAM and Google Groups. Retention follows project policy; we can adapt to customer requirements where needed.

Access Control and Administrative Governance

• Identity and groups: Administrative access is managed through Google Groups mapped to IAM roles. Membership follows least-privilege and is periodically reviewed.
• Segregation of duties: Build, deploy, and runtime permissions are separated to reduce risk.
• Auditability: IAM changes and API access are captured in Cloud Audit Logs.

Customer Responsibilities and Shared Responsibility

• Customer-owned systems: Where we integrate to customer APIs or data stores, customers control scopes, credentials, and any data residency constraints on their side.
• Regions/residency: Deployments can target specific GCP regions to align with residency needs; by default, we use standard regional placements supported by Cloud Run.

Summary

• Transport security: TLS everywhere (Cloud Run-managed).
• Data at rest: Platform encryption by default; options for tighter controls when required.
• Data handling: Transient processing; no customer data persisted by default.
• Secrets: Google Secret Manager and encrypted My Glue settings; fetched at runtime; least-privilege IAM.
• Monitoring: Cloud Logging for observability, Sentry for error tracking, with PII minimisation.
• Governance: Access via Google Groups and IAM; periodic reviews and audit logs.
• Assurance: OWASP-informed design, peer review, vulnerability patching; platform-level pen testing performed by Integration Glue.