We understand how important security and compliance are, and we’ve worked hard to make sure that our products are secure. The security and protection of our customers’ data is definitely a top priority and this paper outlines our approach to security and compliance, and details the technical controls that keep your data safe.
What is Zeplin?
Zeplin is a collaboration and hand-off tool, built for graphic designers and developers. An app on your Mac or PC provides plugins to popular design tools like Sketch. When designers export their work into a Project, we turn the images and design data into specs and style guides. Both from the native app or our Web app, developers access these specs and generate platform-related code snippets.
Omlet is our newest addition to the Zeplin family. Omlet is a component analytics tool for developers, that can analyze your source code and measure component usage across your Projects. Omlet implements the same security controls as the rest of the Zeplin ecosystem - so when we refer to Zeplin in this article, those same controls are in place for Omlet as well. You can read more about Omlet's specific details in the Omlet documentation.
Our products can integrate with your communication tools, such as updating a Trello board or sending a message to Slack whenever a change is made to the Project, and we make sure these integrations are secure as well. All data is securely hosted on our back-end, and each connection made to Zeplin or Omlet is end-to-end encrypted over HTTPS. Only you and the people you invite to your Projects have access to this data. We have very restricted access control policies for the live data, and applying industrial standards for data at rest.
Security isn't just about making sure the right technology is in place. Zeplin makes sure we have the right people who build, maintain and oversee the systems. We are rigorous in making sure we hire the right people.
Every employee is subject to a background check. Once hired, all employees must learn Zeplin's security policies and go through a comprehensive security awareness training session. Key topics such as customer data privacy, data security, and phishing awareness are covered. New employees must agree to our Code of Conduct, which highlights our commitment to keeping information safe and secure. Ongoing training ensures that our crew is aware of new threats as they emerge.
Our dedicated Information Security Officer is responsible for ensuring all employees follow policies and procedures, as well as making sure those policies and procedures are relevant and up to date.
Privacy and Trust
Zeplin has procedures in place that limit access to sensitive information and system access only to necessary staff. All staff members have individual credentials, and multi-factor authentication is mandatory for staff when accessing sensitive systems.
Zeplin uses a certified partner to handle all credit card information, and we do not store any PCI-DSS information ourselves. Our processor, Stripe, is certified to PCI Service Provider Level 1, the most stringent level of certification available in the payments industry.
Zeplin does not sell or share any customer information or data with third parties.
Physical and Network Security
All customer data, and the servers we use, are securely hosted on Amazon AWS in the U.S. All of our users' data is being processed in the U.S.
AWS certifies their physical security with comprehensive compliance and controls, including allowing physical access to personnel with a validated business need, logged and monitored access, electronic surveillance and professional security personnel at all datacenter entry points. AWS is accredited against multiple security industry certifications including ISO27001. More details are available from the AWS website.
Each and every connection made to our servers is enforced end-to-end encrypted over HTTPS, using TLS 1.2 or higher - including every part of our public websites. Customer data is stored in containers encrypted with AES256-CBC (or 256-bit Advanced Encryption Standard in Cipher Block Chaining mode) in multiple physical locations within the United States. Our policy for encryption for data in transit and at rest is available online.
Zeplin uses specialist security consulting firms to complete penetration tests on our infrastructure. You can read more and see testing results in our PEN testing article.
Far from being an afterthought, security is an integral part of Zeplin's operations.
For employees, all staff members have a unique username/password. Access to all systems is role-based, with the principles of deny-by-default and least-privilege. Multi-factor authentication is mandatory when accessing sensitive systems.
Planning, analysis, and design are carried out amongst all developers at regular meetings. We make significant use of GitHub and a CI tool, CircleCI. All code is reviewed by a team at the time of commit. The CI runs automated tests and pushes to an AWS instance, where it is beta-tested for a week. After success, it is code-reviewed, automated tested again, and then needs manual clearance from one of four senior staff to be released to production. User feedback and monitoring tools report back to the planning phase.
Zeplin's cloud presence is built on top of AWS, and we take advantage of many AWS network and application security services, including vulnerability scanning, monitoring, alerting, intrusion detection and configuration checks. In addition, we have constant automated security compliance checks carried out by our Compliance tool, and centralised logging in services like Sentry and NewRelic. For real-time detection and protection, we implement IDS/IPS that monitors network access in real time, alerts of suspicious activity, and actively defends against attacks against our back-end system, including saving data for forensic analysis.
Zeplin's infrastructure is constantly scanned for network vulnerabilities using AWS and other tools, and code versions are checked daily against published security notices. Patches for any security issue are evaluated and rolled out, via change management, as soon as practicable.
Zeplin rapidly investigates all reported security issues. In compliance with international regulations, we will inform all customers affected by an incident soon as possible - definitely within the legally mandated notification period of 72 hours.
Failover and Backup
For systems where we store or process Customer data, automatic backups and resiliency is built in. If a single server fails, another one will take over instantaneously. All data is backed up daily and stored encrypted. Should the worst happen—such as losing a data center—we can rebuild all Zeplin data in a new location, and be fully operational within five days.
Our vendors are all evaluated on their security controls in place, and compliance is reviewed regularly. If we need to use a vendor, we make sure that their security is the same or better than our own, and the appropriate compliance requirements are met.
Our applications are built with security-by-design. Customer data may only be accessed through the application layer, and whether via the UI or an API, user access controls are enforced for every communication.
Zeplin's users are always the owners of their Projects. You have the control to invite, allow access to, or remove access to your Projects at any time.
All users need a unique user ID. Users self-register to the Zeplin platform and are validated via an email verification. If you use Zeplin to manage your password, you'll need to supply a password that meets minimum security requirements (specifically, we follow NIST SP800-63b). If a user enters an incorrect password a number of times, the account will be temporarily locked out for an hour. No customer or employee password is ever stored in the clear at any time in any cache, file, database, or access log.
We can leverage your Enterprise-grade access control systems such as SAML and SCIM as well, so access to your Projects can be completely aligned with your Enterprise policies.
Customer Data Confidentiality
Design data in Zeplin is strongly managed to ensure it remains confidential. We use the strong segregation mechanisms in AWS to ensure data does not leak outside of Zeplin's control. Within our Cloud services, all your images and design data are stored in encrypted S3 containers, sandboxed and segregated from other users' data by the Zeplin back-end, which controls all access to stored data and checks and enforces permissions for every network request.
Minimal Data Stored, and Never Shared
We upload as little of your information as possible. When designers export their designs into Zeplin's cloud services, we only store the layer data along with an image - never the actual design file. When you scan your code with the Omlet tool, only summarised information is uploaded to let us show you component usage and dependencies - we never upload any of your code. Most information never leaves your own computer, and Zeplin does not share any design information or make use of design data processing by any third party vendors.
Mobile Device Security
Zeplin products are desktop apps and web apps. We do not have a mobile app component.
Secure Software Development
We do code reviews very seriously and heavily, it takes 30% of our development time, and we don't compromise on it. Zeplin works as an open source project team in terms of code reviews. Every single branch, feature, and release are reviewed by many team members, and the Pull request needs to be approved by at least one senior engineer within the same team. Integrations and/or unit tests need to be fully completed, and pass testing, before opening the Pull Request.
We use CircleCI for our back-end and front-end stacks as a continuous integration service, deployments, and auto testing tool. Zeplin's code is hosted in GitHub's private repositories, and we take very good advantage of GitHub's code review tool.
Every three months, we carry out security training for the engineering team, so everyone is aware of the possible flaws could happen in our stack, and to be fully sure that none of the applications are affected. We review every single application at those training sessions, and discuss ways to improve and automate the reviews.