Security Overview

Details of how BugSnag keeps your data secure.

We take information security very seriously and use information security best practices across the entire stack, from infrastructure to code. We work with leading information security firms to ensure that our security practices are current and validated.

Data Center & Network Security

Data center security

BugSnag servers are hosted on the Google Cloud Platform (GCP) in facilities compliant with leading security standards, including SSAE 16, PCI DSS Level 1, ISO 9001 / ISO 27001, and many more. Any decommissioned storage devices are destroyed. Find out more about Google Cloud Platform security in the Google Security Whitepaper.

The data centers are secured by professional security personnel. Video surveillance, intrusion detection systems, and additional electronic systems are used to ensure access to these facilities is properly managed.

We use data centers based in the United States.

Network security

Protection

Our network is protected by redundant firewalls, best-in-class router technology, secure HTTPS transport over public networks, and regular audits.

Architecture

Our network security architecture consists of multiple security zones of trust. More sensitive systems, like our database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally, between the different zones of trust.

Third-party penetration tests

In addition to our extensive internal scanning and testing program, BugSnag regularly employs third-party security experts to perform a broad penetration test across the BugSnag production network.

Logical access

Access to the BugSnag production network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the BugSnag production network are required to use multiple factors of authentication.

Security incident response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption

Encryption in transit

Communications between you and BugSnag servers are encrypted via industry best-practice HTTPS and Transport Layer Security (TLS) by default.

Encryption at rest

BugSnag encrypts customer data at rest, and data is automatically encrypted prior to being written to disk. Each encryption key is itself encrypted with a set of master keys. Backups are also encrypted, and data remains encrypted throughout the backup process. You can learn more about this here.

Availability & Continuity

Uptime

BugSnag maintains a publicly available system status webpage at https://status.bugsnag.com that includes system availability details, scheduled maintenance, service incident history, and relevant security events.

Redundancy

BugSnag’s service clustering and network redundancies eliminate single point of failure. Our strict backup regime ensures customer data is actively replicated across both systems and facilities.

Data center

Data center facilities are equipped with advanced fire detection and suppression systems, electrical power outage protection systems, and climate management systems.

Disaster recovery

Our disaster recovery program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating disaster recovery plans, and testing.

Application Security

Secure Development

Security training

All employees participate in security best practices training.

Framework level security

We use leading tools and techniques to protect against common security vulnerabilities. These include, but are not limited to, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection.

Protection against these attack vectors is evaluated as part of our third-party security audit.

Test environments isolation

Development and test environments are separated physically and logically from the production environment. No actual customer data is used in the development or test environments.

Application Vulnerabilities

Security penetration testing

BugSnag regularly employs third-party security experts to perform detailed penetration tests on the application and APIs. Details are available on request.

Responsible disclosure

Our Responsible Disclosure Program gives security researchers an avenue for safely testing and notifying BugSnag of security vulnerabilities.

Product Security Features

Two-factor authentication (2FA)

BugSnag supports 2FA using apps like Google Authenticator and Authy. 2FA provides additional layer of security to your BugSnag account, making it more challenging for somebody else to sign in as you. Learn more about 2FA support.

Secure credential storage

BugSnag follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash.

API security & authentication

BugSnag’s data access API is TLS-only and you must be a verified user to make API requests. You can authenticate against the API using either your username and password, or an API token.

Access privileges & roles

Access to data within BugSnag is governed by role and access rights configured within your organization. Organization admins can grant and revoke access to individual BugSnag projects.

Transmission security

All communications with BugSnag servers are encrypted using industry standard TLS by default. This includes traffic between you and BugSnag and between BugSnag and integrations you have configured. For email BugSnag supports TLS, mitigating eavesdropping and spoofing between mail servers.