Last update: 12th September 2024
Linkuid allows companies to test their applications by providing staging environments. They entrust us with their profile information, applications' source code, configurations, test data, and other types of information, and we take that trust to heart. We are dedicated to delivering a service that prioritizes security, and in this document, we outline the key physical, technical and organisational security practices we employ.
If you have any questions or concerns regarding our security practices, or you wish to disclose a security vulnerability, please contact us at security@linkuid.net.
We reduce the amount of information we need to the bare minimum necessary to provide our services effectively. When we select our partners to help us deliver our services, we try to choose ones that follow this guiding principle as well.
We try to simplify our systems as much as possible to decrease the number of possible security vulnerabilities.
Our web application is enabled by servers running a web server doing server-side rendering, an nginx proxy, and SQLite. We call them app servers. The user interface is implemented using mostly HTML and CSS, with very very little Javascript.
For each Linkuid workspace we run servers whose only purpose is to run the systems of a single workspace. We call them workspace servers. We don't share workspace servers between workspaces. In each workspace server we run our users' applications using Docker, all behind an nginx proxy.
In addition to minimizing the number of services we need, we also try to minimize the software dependencies we need to implement our application as well.
We have very few dependencies both application-wise and OS-wise. Our app doesn't use any framework, which usually bring huge amounts of third-party code. Instead, it only uses small, single-purpose libraries. Our tools' ecossystem is very stable, making it easy to keep all dependencies up to date.
We strive for minimizing the number of external services we need to partner with to provide our services. Rest assured we don't share your product's data with any of them. The only third-party vendors that have access to your products' data are your code hosting provider and the hosting company that owns the servers where we store and process your data.
Hetzner is our infrastructure provider, from whom we rent all the servers needed to provide this service. For more information about the security of the server and the hardware itself, here’s what Hetzner says about their security practices.
To protect your data against access or modification, all communications are encrypted.
Our users' web browsers and our app servers communicate using HTTPS.
Our users' web browsers and native applications and our workspace servers also communicate using HTTPS.
Our app servers and our workspace servers communicate through SSH connections.
Finally, our apps servers and our users' code hosting providers also communicate using HTTPS.
We don't allow workspace servers to communicate with each other, which is especially important as we don't control the code that runs there.
When an environment is created, all its exposed endpoints are accessible to anyone with the URL while the environment is active (by default it's 1 day). As part of onboarding we recommend customers to limit the number of exposed endpoints (e.g. expose HTTP server, don't expose MySQL server), and also to limit access to specific IP addresses.
It's very important that only the users assigned to a given workspace can access that workspace's data, and not everyone should be able to change it. We require users to be authenticated, and we allow workspace owners to set permissions for each user, limiting what they can perform.
All data is backed up in a separate location to allow us to continue providing our service in case there is a natural disaster.
In the Linkuid team, access to our servers is strictly limited to a few individuals.
We enforce a clear Acceptable Use Policy that prevents our clients' from doing anything that might interfere with our service or with other clients'. When they do interfere, we may terminate our contract with them.