As we understand how important security and compliance are, we’ve worked hard to make sure that Zeplin is secure. The security and protection of our customers’ data is definitely a top priority and this paper outlines our approach to security and compliance and details the technical controls that keep your data safe.
What is Zeplin?
Zeplin is a collaboration and hand-off tool, built for graphic designers and developers. An app on your Mac or PC provides plugins to popular design tools like Sketch. When designers export their work into a Zeplin project, we turn the images and design data into specs and style guides. Both from the native app or our Web app, developers access these specs and generate platform-related code snippets.
Zeplin can integrate with your communication tools, such as updating a Trello board or sending a message to Slack whenever a change is made to the Project. All data is securely hosted on our back-end. Each connection made to Zeplin is end-to-end encrypted over HTTPS. Only you and the people you invite to your Project have access to this data. We have very restricted access control policies for the live data, and applying industrial standards for data at rest.
Security isn't just about making sure the right technology is in place. Zeplin makes sure we have the right people who build, maintain and oversee the systems. Although we are a small team, we are rigorous in making sure we hire the right people.
Every employee is subject to a background check. Once hired, all employees must learn Zeplin's security policies and go through a comprehensive security awareness training session. Key topics such as customer data privacy, data security, and phishing awareness are covered. New employees must agree to our Code of Conduct, which highlights our commitment to keeping information safe and secure. Ongoing training ensures that our crew is aware of new threats as they emerge.
An information security officer is responsible for ensuring all employees follow policies and procedures, as well as making sure those policies and procedures are relevant and up to date.
Privacy and Trust
Zeplin has procedures in place that limit access to sensitive information and system access only to necessary staff. All staff members have individual credentials, and multi-factor authentication is mandatory for staff when accessing sensitive systems.
Zeplin uses a certified partner to handle all credit card information, and we do not store any PCI-DSS information ourselves. Our processor, Stripe, is certified to PCI Service Provider Level 1, the most stringent level of certification available in the payments industry.
Zeplin does not sell or share any customer information or data with third parties.
Physical and Network Security
All customer data, and Zeplin's servers, are securely hosted on Amazon AWS in the U.S. All of our users' data is being processed in the U.S.
AWS certifies their physical security with comprehensive compliance and controls, including allowing physical access to personnel with a validated business need, logged and monitored access, electronic surveillance and professional security personnel at all data center entry points. AWS is accredited against multiple security industry certifications including ISO27001. More details are available from the AWS website.
Each and every connection made to Zeplin is end-to-end encrypted over HTTPS, using TLS 1.2. Zeplin forces HTTPS for all services, including our public website. Customer data is stored in containers encrypted with AES256-CBC (or 256-bit Advanced Encryption Standard in Cipher Block Chaining mode) in multiple physical locations within the United States. Our policy for encryption for data in transit and at rest is available online.
We use specialist security consulting firms to complete penetration tests on our infrastructure. You can read more and see testing results in our PEN testing article.
Far from being an afterthought, security is an integral part of our operations.
For employees, all staff members have a unique username/password. Access to all systems is role-based, with the principles of deny-by-default and least-privilege. Multi-factor authentication is mandatory when accessing sensitive systems.
Planning, analysis, and design are carried out amongst all developers at regular meetings. We make significant use of GitHub and a CI tool, CircleCI. All code is reviewed by a team at the time of commit. The CI runs automated tests and pushes to an AWS instance, where it is beta-tested for a week. After success, it is code-reviewed, automated tested again, and then needs manual clearance from one of four senior staff to be released to production. User feedback and monitoring tools report back to the planning phase.
Zeplin is built on top of AWS, and we take advantage of many AWS network and application security services, including vulnerability scanning, monitoring, alerting, intrusion detection and configuration checks. In addition, we have constant automated security compliance checks carried out by our Compliance tool, and logging in services like LogDNA and NewRelic. For real-time detection and protection, we implement an IDS/IDP that monitors network access in real time, alerts of suspicious activity, and actively defends against attacks against our back-end system, including saving data for forensic analysis.
Zeplin's infrastructure is constantly scanned for network vulnerabilities using AWS and other tools, and code versions are checked daily against published security notices. Patches for any security issue are evaluated and rolled out, via change management, as soon as possible.
We rapidly investigate all reported security issues. In compliance with international regulations, we will inform all customers affected by an incident as soon as possible - definitely within legally mandated notification periods of 72 hours.
Failover and Backup
Automatic backups are built into our system. If a single server fails, another one will take over instantaneously. All data is backed up daily and stored encrypted. Should the worst happen—such as losing a data center—we can rebuild all Zeplin data in a new location, and be fully operational within five days.
Our vendors are all evaluated on their security controls in place, and compliance is reviewed regularly. If we need to use a vendor, we make sure that their security is the same or better than our own, and the appropriate compliance requirements are met.
Our application is built with security-by-design. Customer data may only be accessed through the application layer, and whether via the UI or an API, user access controls are enforced for every communication.
Zeplin users are the owners of their project. They have control to invite, allow access to, or remove access to that project at any time. All users need a username/password combination. Users self-register to the Zeplin platform, are validated via an email verification, and must supply a password of more than 8 characters. If a user enters an incorrect password a number of times, the account will be temporarily locked out for an hour. No customer or employee password is ever stored in the clear at any time in any cache, file, database, or access log.
Customer Data Confidentiality
Design data in Zeplin is strongly managed to ensure it remains confidential. We use the strong segregation mechanisms in AWS to ensure data does not leak outside of Zeplin's control. All your images and design data are stored in encrypted S3 containers, sandboxed and segregated from other users' data by the Zeplin back-end, which controls all access to stored data and checks and enforces permissions for every network request.
Minimal Data Stored, and Never Shared
When designers export their designs into Zeplin, it only stores the layer data along with an image - never the actual design file. Most design information never leaves your own computer, and Zeplin does not share any design information or make use of design data processing by any third party vendors.
Mobile Device Security
Zeplin is a desktop and a web app. There is no mobile app component.
Secure Software Development
We do code reviews very seriously and heavily, it takes 30% of our development time, and we don't compromise on it. Zeplin works as an open source project team in terms of code reviews. Every single branch, feature, and release are reviewed by many team members, and the Pull request needs to be approved by at least one senior engineer within the same team. Integrations and/or unit tests need to be fully completed, and pass testing, before opening the Pull Request.
We use CircleCI for our back-end and front-end stacks as a continuous integration service, deployments, and auto testing tool. Zeplin's code is hosted in GitHub's private repositories, and we take very good advantage of GitHub's code review tool.
Every three months, we carry out security training for the engineering team, so everyone is aware of the possible flaws could happen in our stack, and to be fully sure that none of the applications are affected. We review every single application at those training sessions, and discuss ways to improve and automate the reviews.
Zeplin is working very hard toward achieving attestation to the American Institute of CPAs industry-standard cybersecurity program, SOC-2. Formalization and compliance to the SOC-2 TSC controls is underway, and we aim to be ready for Type I audit in Q1 2020, and a check for contining compliance (a Type II) in H2 2020.