Security

Security Measures

Why trusting FlyCI?

To protect your data, FlyCI employs several security measures:

  • Your jobs, when using FlyCI macOS runners, run in a secure and isolated environment
  • Your code and data is never saved on our servers after a workflow is completed
  • All communication is encrypted
  • Our DB has encryption at rest
  • Access to our servers is strictly controlled and audited

Data Isolation and Protection

FlyCI macOS runners are ephemeral, just-in-time (JIT) runners. This means that every time a runner is required, FlyCI creates a virtual machine (VM) where the GitHub workflow jobs are executed. The VM is destroyed the moment the workflow ends and the runner is not needed anymore. This is how we ensure no data is left behind.

The usage of virtual machines also ensures we securely isolate your data from other users. FlyCI relies on Apple Virtualization Framework - the official recommendation for creating and configuring macOS VMs. In addition, we also implement strict rules around authentication and encryption to prevent unauthorized access to our systems.

FlyCI Wingman operates within an ephemeral FlyCI runner or in the GitHub runner of your choice, ensuring that your code remains secure during failure analysis. The LLM used by FlyCI Wingman is hosted by a third-party AI service, maintaining data privacy. The LLM analyzes the failure log. No additional code or data is shared except if explicitly required by the LLM to complete the analysis.

Data Separation from Other Users

The use of virtual machines ensures that your data remains separate from other users' data. Our strict security measures prevent unauthorized individuals from observing or accessing your data.

Data Storage After Workflow Completion

We do not store any of your data after a workflow is completed. This includes your code and secrets. Any data used by the runner is destroyed along with the runner itself.

Log Retention for FlyCI macOS runners

We retain metadata logs containing information about CI jobs, including the initiator, start time, duration, and selected hardware. The logs do not store any personal or sensitive data. They help us create valuable usage dashboards for our customers. It is also the base on which we measure our performance and improve our services over time.

FlyCI macOS Runners' Authentication

To authenticate GitHub's self-hosting software and ensure it runs the appropriate workflow, we use Just-In-Time configuration. It can only be issued by the FlyCI app and is specific for the organization and the repository. It is not possible to access other repositories using the same configuration.

Are FlyCI services SOC2 Compliant?

FlyCI services are not SOC2 compliant yet, but we plan to start working on it. Please, email us at contact@flyci.net in case of interest.

How can I report a security vulnerability?

For details on how to report security issues, please refer to our security.txt

Previous
About
Next
Billing