What are Split's security practices?
As a service that helps you release features directly to your users, we take security seriously. Our Security and Availability Overview addresses many of these issues in more detail, but briefly, Split addresses security through:
- Application authentication: Two-factor authentication and Google-verified sign-in are available to all customers.
- Encryption: we default communications over SSL, store keys and secrets using Amazon’s KMS, and login tokens are salted.
- Internal security controls: we peer-review and staging-test production code changes, all access to REST API endpoints require an access key, we do not capture any identifiable information on your customers, and all internal systems are gated by two-factor authentication.
- Infrastructure security: we limit access to production servers, use a global CDN to limit DDOS exposure, maintain daily datastore backups, and utilize separate development and production environments.
- External audits: Split undergoes a yearly penetration audit from Gotham Digital Science, which includes owasp-10 certification.
Visit split.io/security to learn more about our current security practices.