Security and Compliance at Harness

At Harness, the security and privacy of customer data, intellectual property, and personal data are top priorities.  We maintain a geographically diverse security team dedicated to operating and continuously improving our security and compliance programs.

Button
Harness Platform in 3 mins

Get in Touch

If you believe you have discovered a critical security bug or vulnerability, please contact security@harness.io. We’ll get back to you within 24 hours or sooner.

If you’d like to participate in our private bug bounty, please reach out with your preferred email address. We request that you do not publicly disclose the issue until we have had a chance to address it.

Compliance and Certifications

Harness takes security seriously, and has implemented a comprehensive security program to protect customer data. Each year, we undergo third-party audits and technical assessments of our security capabilities.

To request a copy of our latest reports as well as access additional information related to our security posture and controls, please visit the Harness Trust Center at trust.harness.io.

Data Privacy

Harness has intentionally minimized the amount of personal data needed to use our platform.  In some circumstances, we may require personal data to facilitate your use of the platform, or to improve our websites and services.

Harness is compliant with GDPR, CCPA, and applicable privacy laws.
To understand your privacy rights and how we handle your personal data please review our Privacy Statement.
To manage the use of your of your privacy information please see Do Not Sell or Share My Personal Information.
To exercise your privacy rights please submit a request at Exercise Your Data Rights.

Security at Harness

How do we protect Harness?

Risk Management

Harness conducts risk assessments on at least an annual basis, and on-demand for significant changes to the environment. The output of the risk assessment is a report identifying and classifying risks, which are reviewed with management and stakeholders and tracked in a risk register. As a complement to the risk assessment process, Harness also conducts annual application business impact assessments to validate controls and security posture of critical systems.

Vendor Management

Harness maintains a vendor risk management program that includes regular monitoring and assessment of suppliers’ ability to comply with security and compliance requirements. The scope of this program includes both business systems and technical assets used for service delivery.

Threat Models

Harness conducts risk-based threat modeling for critical application features and components, including new features and modules.

Account Protection

All Harness employees use Single Sign On for access to critical business systems, and we’ve adopted two-factor authentication across our estate wherever possible.

Training and Awareness

When new employees start, one of their first tasks is to attend security and privacy awareness training. We also conduct annual and ongoing security and privacy awareness training for all employees.

Vulnerability Management

We use industry leading SAST, DAST, and SCA tools to discover vulnerabilities in our codebase and images.  Findings are handled according to our documented Vulnerability Management policy and procedures.

Penetration Tests

We conduct internal technical security assessments on a regular basis, and track all findings through our vulnerability management process. We also engage with trusted third parties to complete network and application penetration tests at least annually.

Audit Logging

We have audit logs enabled in our environment to identify anomalies, measure efficiency, and demonstrate compliance.

Incident Response

We maintain a dedicated Incident Response function, and keep customers updated on operational incidents through our Status Page.

How do we protect customers?

How does Harness ensure Delegate updates do not contain malicious code?

The Harness Delegate is a service running in your local network or VPC to connect all of your artifact, infrastructure, collaboration, verification and other providers with the Harness Manager.

Harness follows a documented secure SDLC for all development (SaaS and on-prem) to ensure the integrity of software updates distributed to customers.  The SDLC includes steps to conduct PR reviews, Static Code Analysis Testing, Dynamic Application Security Testing, regular penetration testing, and risk-based threat modeling for critical components.

Container Hardening

Harness Security reviews each image released to production, and provides a “safe image” for the given deployment. This safe image ensures that third-party dependencies have been procured from trusted resources, and that relevant operating system hardening has been implemented.

How does Harness assess third party dependencies prior to inclusion in our software?

Harness has implemented layered technical controls, including an automated scan integrated into our CI/CD pipeline to enumerate third party security vulnerabilities, manual code review, and hardened production images.

Where are secrets stored?

Harness production secrets are stored using dedicated secret management technologies. Customers can use the built-in Harness Secrets Manager, or integrate an existing third-party solution.

Product Security Features

Encryption in Transit

Data submitted to Harness is encrypted with TLS 1.2 or better over the public internet.

Encryption at Rest

Data stored in Harness SaaS environment is encrypted at rest with AES 256.

Authentication & Authorization

Harness supports both local authentication and integration with your corporate Identity Provider. See our technical documentation for a detailed walkthrough on how to configure SSO. You can enforce Two-Factor Authentication through Harness or your Identity Provider.

Backups

We perform regular backups of our systems and data stored in the Harness platform. Data is encrypted at rest, and access to data stores is restricted by the principle of least privilege.

Business Continuity and Disaster Recovery

Harness maintains a documented BCDR program, which is tested at least annually. Our RPO is 6 hours, and RTO is 4 hours.

The Modern Software Delivery Platform®

Loved by Developers, Trusted by Businesses
Get Started

Need more info? Contact Sales