Security
Airplane has a suite of features designed to enhance security and compliance for internal
operations. You can read more about product features and security use cases at
Airplane for security.
Data we collect and store
Airplane is a SaaS offering. Our agents can be self-hosted, but all other
aspects of the platform are hosted by Airplane. This means that the following types of data are
collected and stored by Airplane in order to provide our services:
- Account metadata (company name, payment plan, etc.)
- User account data (email, avatar, group membership, etc.)
- Task metadata (task names, description, parameters, etc.)
- Run metadata (run requester/approver/executor, timestamp, etc.)
- Resource metadata (database connection information)
- Usage analytics data (URLs of pages visited, etc.)
- Logs and output produced by scripts, queries, or tasks that are run through Airplane
Any resources (e.g. databases) connected to Airplane are stored and managed by you. We do not copy
or otherwise their contents.
We do not currently offer an on-premises or fully customer-hosted version of Airplane, but if you're
interested in this, please email us at hello@airplane.dev.
Infrastructure and network security
Security is a top priority for us and we take the following measures to keep your data and account
secure.
Hosting
Airplane is hosted on Google Cloud Platform (GCP) and all of our GCP servers are located in the
United States. GCP data centers have state-of-the-art physical access controls, logical access
controls, and frequent third-party independent audits. Google has published a detailed security
whitepaper outlining these measures.
Airplane employees have audited and as-needed access to infrastructure on GCP. All employees have
dedicated user accounts and access infrastructure via two-factor authentication.
SOC 2 Compliance
Airplane is SOC 2 compliant. This means that we regularly undergo third-party external penetration
tests, conduct background checks of new employees, have all employees go through security awareness
training, and more. To access our SOC 2 report, please email us at hello@airplane.dev.
Encryption
All data in transit is encrypted over HTTPS/TLS between you and Airplane's servers.
All data at rest is stored encrypted and replicated for durability.
Application security
Two-factor authentication and single sign-on
Airplane currently supports G Suite and SAML SSO, allowing customers to enforce that users sign in
using customer-managed identity providers.
G Suite SSO is restricted to domain(s), so that customers can ensure users only sign in using
customer-managed G Suite accounts.
Two-factor authentication for application login can be enforced at the identity provider level (e.g.
by turning it on within G Suite).
Group-based permissions
To implement granular access to viewing and running tasks, Airplane allows customers to define
groups within the application and assign users to groups. Tasks can be individually configured to
allow only certain groups the ability to view, request, and execute.
Business continuity and disaster recovery
High Availability
The Airplane platform uses properly-provisioned, redundant servers (e.g. multiple load balancers,
web servers, replica databases) to gracefully handle failures of nodes and/or datacenters. As part
of regular maintenance, servers are taken out of operation without user-noticeable impact.
Business Continuity
Airplane keeps daily and point-in-time encrypted backups of data in multiple regions on Google Cloud
Platform. While never expected, in the case of production data loss, we are able to restore customer
data from these backups.
Disaster Recovery
In the event of a region-wide outage, Airplane will bring up a duplicate environment in a different
Google Cloud Platform region. Airplane infrastructure is designed to be portable and restorable
under different regions.
How to report vulnerabilities
You can email security@airplane.dev with details on any security vulnerabilities you discover.