Buddy Enterprise: Safety & Security
DISCLAIMER: Buddy Enterprise is the downloadable (on-premises) version of the Service (i.e. hosted on user infrastructure). For security information on the cloud-hosted version of Buddy, click here.
Buddy Enterprise operates on your infrastructure, which means it is governed by your existing information security controls: from firewalls and VPNs, to identity and access management and monitoring systems. The on-premises version of Buddy is for entities that require keeping data in-house, entities located in remote locations with slow Internet connection and those already running their CI/CD process on local infrastructure
Operating System, Firewall and Access
Buddy Enterprise uses Docker as the underlying tech. This means you can install it on any Operating System that supports Docker. We recommended Linux with properly configured firewalls and access permissions to the server with your Buddy Enterprise installation.
The application and repository data are available only for users defined in the workspace. There are two types of users: administrators with full access to all projects, and members who can only access projects to which they have been added. Members scope of access is independently restricted (or expanded) for the source (Git repository) and pipelines (deployments) using custom permissions.
All private data to and from Buddy is transmitted over SSL. All communication with the repository is done over SSH authenticated with keys, or via HTTPS using your Buddy username and password. All registered users are virtual and have no user account on our machines. The SSH credentials used to push and pull cannot be used to access a shell or the filesystem. You can also set a custom SSL certificate for HTTPS traffic.
Backups & Updates
Buddy Enterprise does not perform automatic backups. Instead, we provide tools for easy backup of both the application and data stored. Configuring and running regular backups is critical for software hosted on premises. Buddy does not hold any responsibility for data loss and issues resulting from the negligence of proper backup policy. Running\ta backup is obligatory before updating the application to the newest version.
Patches to the core operating system, and running services to address security concerns, are managed by Buddy as part of our standard product release cycle. This includes patches for new features, improvements, stability, and non-critical security issues, which are usually released on weekly basis. Critical security patches are provided as needed outside of the regular release cycle and specifically announced with email notifications and via our Twitter channel. You can easily check the version and update your Buddy Enterprise installation either from the CLI or the GUI.
External Services and Support Access
By design, Buddy Enterprise is able to operate without any egress access from your network to outside services. However, if your instance does have access to the Internet, it will send us events with the version of the application, and the total number of projects and users. Apart from that, we have no access to any data stored in your Buddy Enterprise installation.
When resolving a support issue we may sometimes ask you for more information. This can be handled in two ways:
- Buddy feedback – the command sends a package with application logs and configuration files over an encrypted connection to a secure AWS S3 bucket. The package is available only for QA developers for the time required to resolve the issue and immediately removed afterward.
- SSH access – on extreme occasions we may ask you to give us access to the server with your Buddy Enterprise installation. This is performed over a secure SSH connection (called a tunnel) which first has to be opened from the client’s side by running a command on the server.
If you have any questions regarding the safety and security of our Service, drop a word to firstname.lastname@example.org and we’ll get back in a snap.