Security & Compliance

What we believe

We believe in a culture of transparency. As such, we are committed to providing you with assurance of our security practices and answers to the questions most frequently asked during due diligence. We understand that you may have unique priorities or requirements. If you have a question that is not covered in this brief, please contact your Account Executive.

Who we are

Cypress is a next generation front end testing tool built for the modern web. Our solution addresses the key pain points developers and QA engineers face when testing modern applications. There is an open-source component (“Cypress app”) and a cloud based Software-as-a-Service (SaaS) component (“Cypress Cloud”). Cypress Cloud is designed to store a full history of test results and allow you to quickly view the current state of your application(s), identify problematic trends through rich analytics, and diagnose unreliable tests with the support of tools like Flaky Run Detection and Analytics.

Security architecture principles

• ISO 27001 and NIST 800-53 Standards Based Approach

• Least Privilege Principle

• Defense in Depth

• Zero Trust Architecture

• Low Attack Surface

• Security and Privacy by Design

Cypress Cloud security

Access & authorization

Cypress Cloud supports Enterprise SSO, Google, GitHub, and traditional username and password for login. Role Based Access Control (RBAC) is also available.

Personally identifiable information (PII)

Cypress Cloud respects individual privacy and limits collection to first name, last name, and email address which are used for the purpose of authentication and authorization. This information is encrypted in-transit and at-rest and is never shared with third parties.

Testing content

You, the customer, own and are responsible for your test content. We trust that customers will make decisions about the appropriateness of data to use in testing and will avoid use of PII, PHI, or other types of protected information. Cypress will make commercially reasonable efforts to protect confidentiality of information that is provided to Cypress Cloud. All test content is stored in the USA in multi-tenant environments which employ technical controls to logically separate data. Data about tests and test metadata are used to improve the service and test content is not shared with third parties. Any test content stored in a Public Project is considered publicly available and not confidential.

No access to customer systems

The open-source Cypress app runs locally within the customer environment, typically on a user’s computer and/or within a continuous integration pipeline, and sends Testing Content to Cypress Cloud. Cypress Cloud records results from the Cypress app and maintains no access to customer systems, source code, or software.

Network protection

Cypress Cloud uses various forms of network protections such as security groups, firewalls, web application firewalls, and DDoS protection/mitigation techniques to limit network access and prevent abuse.

Encryption

Cypress Cloud encrypts all Testing Content in-transit using TLS 1.2 or greater and at-rest using AES-256 or greater. Cipher suites follow industry standards for security and performance.

Secrets

Cypress Cloud uses a well defined process to guarantee secret confidentiality. Secrets are environment specific and not permitted to be stored in source code.

Security testing

Cypress Cloud undergoes regular Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). Third party penetration testing is conducted annually.

Secure software development lifecycle plan (SSDLC)

Cypress Cloud is developed using industry best practices for secure software development, including the use of automated SDLC processes. Changes are documented, reviewed, and approved prior to execution. Changes are tested in non-production environments and validated using the Cypress app and Cypress Cloud prior to production deployment. Infrastructure changes follow Infrastructure-as-Code best practices.

Resilience

Cypress Cloud leverages highly available architectures deployed across geographically diverse zones and regions to maximize availability. This includes static data repositories which are replicated across geographies. A publicly available status page is available at www.cypressstatus.com.

Backups

Cypress Cloud is backed up daily to provide recovery capability in the event of unexpected data loss. Backups are kept for 35 days. Disaster recovery plans and processes are tested at least annually.

Third party attestation

Cypress works with an independent, third party auditor on an annual basis to maintain a SOC 2 Type 2 report for Cypress Cloud, which objectively certifies our controls to ensure the continuous security, availability, confidentiality, and integrity of our customers' data.

Organizational security

User access

Access for our remote workforce is governed by the privilege of least privilege required. Prior to joining, all new employees must undergo a standard background check. Upon joining all access requests are logged and approved by authorized personnel. Multi-factor authentication (MFA) is enforced on critical services.

Passwords

Internal password policies are aligned to the NIST 800-63B standard which enforces length, complexity, and restrictions on commonly used password variants. Secure password vaults are provided to all employees.

Mobile device management (MDM)

MDM software is used to enforce controls which help to ensure our remote workforce’s devices stay safe and secure. Examples of enforced settings include full disk encryption for all devices, use of endpoint protection, and firewalls, along with automated system updates and patches to approved versions.

Security incident detection and response

Incident response is guided by a regularly tested and continuously refined SANS-based Incident Response Plan. The Information Security team employs a suite of tools and technologies which are used to detect and alert on suspicious activities. Alerts are routed to the Security team and follow Incident Response Plan procedures.

Security awareness training

Security awareness training is delivered to all employees at onboarding and annually thereafter. In addition to awareness training, development employees also take OWASP focused training at onboarding and annually thereafter. Regular phishing exercises are also conducted to assess the effectiveness of the training on the security culture.

Business continuity and disaster recovery

Business Continuity and Disaster Recovery Plans are maintained and regularly tested.

Vulnerability management

Vulnerabilities are managed through a Vulnerability Management Program aligned to industry best practices. Emerging threats are triaged, classified and remediated upon prescriptive timelines. A responsible disclosure process has been established to allow for confidential submission of potential vulnerabilities. A formal bug bounty program with financial rewards is not offered at this time.

Risk management

Risk is continuously managed through a Risk Management Program aligned to industry best practices. Risks are identified, analyzed, evaluated, treated, and monitored according to policy. Formal assessments conducted at least annually and all risks and exceptions are captured and logged.

Vendor reviews

Vendors are managed through a Vendor Management Program aligned to industry best practices. Each vendor is evaluated and classified based on assigned risk. Critical vendors are assessed at least annually and subjected to enhanced security evaluations to ensure compliance with security practices.

Information security policies

Cypress maintains a library of policies and procedures which align with ISO27001 standards.