Harness takes a comprehensive approach to data privacy and security to protect our infrastructure, products and customer data. Our geographically diverse security team is committed to operating and continually enhancing our security and compliance programs.
We have multi-region architecture in place in a separate geographic locations to ensure the platform and its services can be rapidly scaled up in the event of a disaster to its primary location. This architecture is tested by Harness at least annually to validate the failover procedures and recovery technologies.
We also perform frequent backups of our databases to ensure that data is backed up and can be restored to a point in time in the event of an incident or data corruption. Our Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are 4 and 6 hours respectively.
We conduct rigorous interviews and background checks to ensure we identify top candidates to join our team. Employees must complete security and privacy training during onboarding and annually.
Security is embedded throughout our software development lifecycle. All changes to production must be peer reviewed and approved, automatically tested through continuous integration, scanned for vulnerabilities, and include roll-back procedures prior to deployment.
We perform vulnerability management over our infrastructure and application code. Scans are run at least monthly and adhere to NIST vulnerability remediation timelines.
Our Incident Response program that aligns with both the SANS PICERL and NIST SP 800-61 guides with a dedicated Incident Response team in place to ensure the program follows established internal policies.
Customers are updated on operational incidents through our Status Page and impacted customers are notified without undue delay of any security incidents.
Minimal PII is required for us to provide and maintain our services. All Harness customer data is internally classified under the most critical data classification and is therefore the most strictly controlled and secured. We encrypt all data in transit utilizing TLS 1.2+. and data at rest within the Harness platform and our databases is AES-256 encrypted.
Customer data is never used in our non-production environments which are strictly separated from our production environments and used for development, testing, and staging only.
We logically separate all customer accounts using unique Account IDs.
Harness adheres to RBAC principle, therefore unique user accounts and passwords are assigned to each employee based on least privilege.
Single Sign On (SSO) is enforced for critical business systems and two-factor authentication (2FA) is implemented wherever possible.
We use software to collect data from system infrastructure and endpoints, monitoring activities such as access, system performance, potential security vulnerabilities, and resource utilization; the information security and operations teams are alerted when unusual system activity or service requests are detected.
We are SOC 2 compliant and ISO 27001/27017/27018 certified! To request a copy of our latest reports as well as access additional information related to our security posture and controls, please visit the Harness Trust Center at trust.harness.io.
On an annual basis, we engage an external body to conduct a penetration test against our application and external network.
We conduct risk assessments at least annually and after significant environmental changes; risks are classified based on likelihood, impact, and existing mitigation, then reviewed with management and stakeholders and tracked in a risk register. Additionally, we perform annual application business and privacy impact assessments to validate the security and controls of critical systems.
We maintain a vendor risk management program that includes regular monitoring and assessment of suppliers’ ability to comply with security and compliance requirements. The scope of this program includes both business systems and technical assets used for our service delivery.
We comply with GDPR, CCPA, and other applicable privacy laws.
The Harness Privacy Statement provides an overview of the data collected and how it may be used. Data Subjects rights may be executed by submitting a Privacy Request.
Our product supports both local authentication and integration with your corporate Identity Provider. See our technical documentation for a detailed walkthrough on how to configure SSO. You can also enforce Two-Factor Authentication through Harness or your Identity Provider.
Our platform boasts advanced Role-Based Access Control (RBAC) functionality, which allows for granular control over what users and service accounts can and cannot do in the platform.
We offer comprehensive, out-of-the-box Audit Trail at the account and organization levels for all events and changes that take place in the platform.
The Harness Delegate runs in the customer’s environment to connect internal systems with the Harness Platform. This happens over a secure WebSocket connection over TLS.
The Harness product includes a built-in Secrets Management solution built on top of the GCP KMS service. This allows customers to maintain and store secrets used in their Harness account, pipelines, and connectors in a secure and convenient way.
We build on hardened images and provide a “safe image” for deployment. This safe image ensures that third-party dependencies have been procured from trusted resources, and that relevant operating system hardening has been implemented.
If you believe you have discovered a critical security bug or vulnerability that may impact our product or services, please contact security@harness.io.
We’ll get back to you within 24 hours or sooner. We request that you do not publicly disclose the issue until we have had a chance to address it.
If you’d like to participate in our private bug bounty, please reach out with your preferred email address.