Security

Airplane has a suite of features designed to enhance security and compliance for internal operations. You can read more about product features and security use cases at Airplane for security.

Data we collect and store

Airplane is a SaaS offering. Our agents can be self-hosted, but all other aspects of the platform are hosted by Airplane. This means that the following types of data are collected and stored by Airplane in order to provide our services:
  • Account metadata (company name, payment plan, etc.)
  • User account data (email, avatar, group membership, etc.)
  • Task metadata (task names, description, parameters, etc.)
  • Run metadata (run requester/approver/executor, timestamp, etc.)
  • Resource metadata (database connection information)
  • Usage analytics data (URLs of pages visited, etc.)
  • Logs and output produced by scripts, queries, or tasks that are run through Airplane
Any resources (e.g. databases) connected to Airplane are stored and managed by you. We do not copy or otherwise their contents.
We do not currently offer an on-premises or fully customer-hosted version of Airplane, but if you're interested in this, please email us at hello@airplane.dev.

Infrastructure and network security

Security is a top priority for us and we take the following measures to keep your data and account secure.

Hosting

Airplane is hosted on Google Cloud Platform (GCP) and all of our GCP servers are located in the United States. GCP data centers have state-of-the-art physical access controls, logical access controls, and frequent third-party independent audits. Google has published a detailed security whitepaper outlining these measures.
Airplane employees have audited and as-needed access to infrastructure on GCP. All employees have dedicated user accounts and access infrastructure via two-factor authentication.

SOC 2 Compliance

Airplane is SOC 2 compliant. This means that we regularly undergo third-party external penetration tests, conduct background checks of new employees, have all employees go through security awareness training, and more. To access our SOC 2 report, please email us at hello@airplane.dev.

Encryption

All data in transit is encrypted over HTTPS/TLS between you and Airplane's servers.
All data at rest is stored encrypted and replicated for durability.

Application security

Two-factor authentication and single sign-on

Airplane currently supports G Suite and SAML SSO, allowing customers to enforce that users sign in using customer-managed identity providers.
G Suite SSO is restricted to domain(s), so that customers can ensure users only sign in using customer-managed G Suite accounts.
Two-factor authentication for application login can be enforced at the identity provider level (e.g. by turning it on within G Suite).

Group-based permissions

To implement granular access to viewing and running tasks, Airplane allows customers to define groups within the application and assign users to groups. Tasks can be individually configured to allow only certain groups the ability to view, request, and execute.

Business continuity and disaster recovery

High Availability

The Airplane platform uses properly-provisioned, redundant servers (e.g. multiple load balancers, web servers, replica databases) to gracefully handle failures of nodes and/or datacenters. As part of regular maintenance, servers are taken out of operation without user-noticeable impact.

Business Continuity

Airplane keeps daily and point-in-time encrypted backups of data in multiple regions on Google Cloud Platform. While never expected, in the case of production data loss, we are able to restore customer data from these backups.

Disaster Recovery

In the event of a region-wide outage, Airplane will bring up a duplicate environment in a different Google Cloud Platform region. Airplane infrastructure is designed to be portable and restorable under different regions.

How to report vulnerabilities

You can email security@airplane.dev with details on any security vulnerabilities you discover.