Data Privacy and Security
The Speakeasy Platform is built with security and privacy as top priorities. The following sections detail our privacy and security policy for Managed SDKs and other platform feaatures.
Speakeasy provides a service to generate, update and publish SDKs on behalf of its customers.
Please note the following guidance refers only to sdks hosted on behalf of the customer in their own Github organisation and not those in Speakeasy's Github organisation:
- 3rd party code dependencies - All SDKs generated by Speakeasy use minimal to no 3rd party dependencies. Please see the langauge specific design pages for more information
- All tokens stored as GH secrets - Publishing tokens such as those used for NPM or PYPI or stored as Github Action Secrets (opens in a new tab). Speakeasy's Github workflows will use this tokens to publish sdk packages to package managers on behalf of the customer but will never export or have plain text access to these tokens
- GH workflows - All GH workflows and code generation run using Github hosted action runners (opens in a new tab).
- All code generated by Speakeasy is owned by the user. Speakeasy licenses code with the MIT open source License (opens in a new tab) by default. This can be altered by the owner of the SDK at any time.
- Authentication with Speakeasy platform - When the Speakeasy code generator is invoked it authenticates with the Speakeasy platform using a Github secret named
SPEAKEASY_API_KEY. This token is an opaque token that authenticates each generation run with a workspace in our platform. This enables us to collect metadata on generations on a per customer basis. Metadata does not include generated code.
- SDK Telemetry - By default sdk telemetry is turned off. Please see the property
telemetryEnabledin the generation config file,
gen.yaml, in your SDK repo. By default this is set to
Speakeasy provides a service to create a self service API platform for your users understand authenticate, onboard and understand how they are using your API.
- Principle of least access - All users of the platform and hosted developer portal have accessed scoped to a Workspace. All API keys, access tokens and stored API request logs are scoped to a Workspace.
- Secure Data storage - All API request and response data is stored in ISO/IEC 27001 verified data centers. We use Google Cloud as our primary cloud provider for the hosted offering.
- Secure communication - All network communication is encrypted in transit with SSL/TSL. For data transport we use secure gRPC and for all other APIs we use HTTPS by default.
- Secure access - All access to the Speakeasy web app is done via OAuth2.0. We use Github login and Google Identity Platform as our primary identity provider.
- Telemetry - We log all access to the Speakeasy web app and hosted developer portals including IP address, user agent, time of access and the API endpoint accessed. We use this data to monitor and improve the platform.
- Data retention - By default API request logs are retained for 30 days.
- Key masking - Any request logs sent to Speakeasy can be optionally masked. This includes cookies, headers, query params, auth information or any other keys in the API requests and response logs. See documentation on language specific SDKs for more details.
- Data deletion - All data stored in a workspace Speakeasy can be deleted on request. This includes API request logs, aggregate metrics and any other data stored in Speakeasy.
- Data export - All data stored in a workspace Speakeasy can be exported on request. This includes API request logs, aggregate metrics and any other data stored in Speakeasy.
:::note Self hosting Speakeasy is in preview. Please reach out to us if you are interested in hosting Speakeasy on your own infrastructure or check out our helm-charts (opens in a new tab) repository. :::
All the security and data privacy features from Speakeasy Cloud apply to self-hosting the product with the notable exceptions of:
- Secure Data Storage - All data is stored in your own infrastructure (either on cluster or in your data warehouse). Data retention, expiry, and deletion is left upto the user of Speakeasy.
- Telemetry - By default we still collect information on user access and system uptime, but this can be disabled by setting the
TELEMETRY_ENABLEDenvironment variable to
falsewhen deploying using Speakeasy helm charts. This achieve a completely airgapped environment.
If self hosting Speakeasy network configuration is left upto the user including DNS configuration, load balancing, and ingress configuration. By default we do not configure any out of VPC resources.
Think you may have found a security bug? We'd be happy to work with you to explore and resolve the issue -- and to ensure you are fairly rewarded. Rewards will be based on severity, per CVSS (Common Vulnerability Scoring Standard (opens in a new tab)). Get in touch with us at firstname.lastname@example.org to learn more.
Speakeasy is in the process of getting a SOC2 verification. We also provide access a security pen testing report upon request.
Please don't hesitate to reach out to us at email@example.com for any questions on the above!