Security & Compliance

At Cypress, we leverage enterprise-grade security features with regular audits of our applications, systems, and networks to ensure that you can trust the infrastructure that hosts the systems we know you rely upon.

Report a security issue

What we believe

We believe in a culture of transparency. As such, we are committed to providing you with assurance of our security practices and answers to the questions most frequently asked during due diligence. We understand that you may have unique priorities or requirements. If you have a question that is not covered in this brief, please contact your Account Executive.

Who we are

Cypress is a next generation front end testing tool built for the modern web. Our solution addresses the key pain points developers and QA engineers face when testing modern applications. There is an open-source component (“Cypress app”) and a cloud based Software-as-a-Service (SaaS) component (“Cypress Cloud”). Cypress Cloud is designed to store a full history of test results and allow you to quickly view the current state of your application(s), identify problematic trends through rich analytics, and diagnose unreliable tests with the support of tools like Flaky Run Detection and Analytics.

Security architecture principles

  • ISO 27001 and NIST 800-53 Standards Based Approach

  • Least Privilege Principle

  • Defense in Depth

  • Zero Trust Architecture

  • Low Attack Surface

  • Security and Privacy by Design

Cypress Cloud security

Access & authorization

Cypress Cloud supports Enterprise SSO, Google, GitHub, and traditional username and password for login. Role Based Access Control (RBAC) is also available.

Personally identifiable information (PII)

Cypress Cloud respects individual privacy and limits collection to first name, last name, and email address which are used for the purpose of authentication and authorization. This information is encrypted in-transit and at-rest and is never shared with third parties.

Testing content

You, the customer, own and are responsible for your test content. We trust that customers will make decisions about the appropriateness of data to use in testing and will avoid use of PII, PHI, or other types of protected information. Cypress will make commercially reasonable efforts to protect confidentiality of information that is provided to Cypress Cloud. All test content is stored in the USA in multi-tenant environments which employ technical controls to logically separate data. Data about tests and test metadata are used to improve the service and test content is not shared with third parties. Any test content stored in a Public Project is considered publicly available and not confidential.

No access to customer systems

The open-source Cypress app runs locally within the customer environment, typically on a user’s computer and/or within a continuous integration pipeline, and sends Testing Content to Cypress Cloud. Cypress Cloud records results from the Cypress app and maintains no access to customer systems, source code, or software.

Network protection

Cypress Cloud uses various forms of network protections such as security groups, firewalls, web application firewalls, and DDoS protection/mitigation techniques to limit network access and prevent abuse.

Encryption

Cypress Cloud encrypts all Testing Content in-transit using TLS 1.2 or greater and at-rest using AES-256 or greater. Cipher suites follow industry standards for security and performance.

Secrets

Cypress Cloud uses a well defined process to guarantee secret confidentiality. Secrets are environment specific and not permitted to be stored in source code.

Security testing

Cypress Cloud undergoes regular Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST). Third party penetration testing is conducted annually.

Secure software development lifecycle plan (SSDLC)

Cypress Cloud is developed using industry best practices for secure software development, including the use of automated SDLC processes. Changes are documented, reviewed, and approved prior to execution. Changes are tested in non-production environments and validated using the Cypress app and Cypress Cloud prior to production deployment. Infrastructure changes follow Infrastructure-as-Code best practices.

Resilience

Cypress Cloud leverages highly available architectures deployed across geographically diverse zones and regions to maximize availability. This includes static data repositories which are replicated across geographies. A publicly available status page is available at www.cypressstatus.com.

Backups

Cypress Cloud is backed up daily to provide recovery capability in the event of unexpected data loss. Backups are kept for 35 days. Disaster recovery plans and processes are tested at least annually.

Third party attestation

Cypress Cloud is subjected to an annual Type 2 third party audit against the AICPA System and Organization Controls (SOC 2 Type 2) standard for Security, Availability, and Confidentiality.

Organizational security

User access

Access for our remote workforce is governed by the privilege of least privilege required. Prior to joining, all new employees must undergo a standard background check. Upon joining all access requests are logged and approved by authorized personnel. Multi-factor authentication (MFA) is enforced on critical services.

Passwords

Internal password policies are aligned to the NIST 800-63B standard which enforces length, complexity, and restrictions on commonly used password variants. Secure password vaults are provided to all employees.

Mobile device management (MDM)

MDM software is used to enforce controls which help to ensure our remote workforce’s devices stay safe and secure. Examples of enforced settings include full disk encryption for all devices, use of endpoint protection, and firewalls, along with automated system updates and patches to approved versions.

Security incident detection and response

Incident response is guided by a regularly tested and continuously refined SANS-based Incident Response Plan. The Information Security team employs a suite of tools and technologies which are used to detect and alert on suspicious activities. Alerts are routed to the Security team and follow Incident Response Plan procedures.

Security awareness training

Security awareness training is delivered to all employees at onboarding and annually thereafter. In addition to awareness training, development employees also take OWASP focused training at onboarding and annually thereafter. Regular phishing exercises are also conducted to assess the effectiveness of the training on the security culture.

Business continuity and disaster recovery

Business Continuity and Disaster Recovery Plans are maintained and regularly tested.

Vulnerability management

Vulnerabilities are managed through a Vulnerability Management Program aligned to industry best practices. Emerging threats are triaged, classified and remediated upon prescriptive timelines. A responsible disclosure process has been established to allow for confidential submission of potential vulnerabilities. A formal bug bounty program with financial rewards is not offered at this time.

Risk management

Risk is continuously managed through a Risk Management Program aligned to industry best practices. Risks are identified, analyzed, evaluated, treated, and monitored according to policy. Formal assessments conducted at least annually and all risks and exceptions are captured and logged.

Vendor reviews

Vendors are managed through a Vendor Management Program aligned to industry best practices. Each vendor is evaluated and classified based on assigned risk. Critical vendors are assessed at least annually and subjected to enhanced security evaluations to ensure compliance with security practices.

Information security policies

Cypress maintains a library of policies and procedures which align with ISO27001 standards.

Frequently Asked Questions

How do I report a possible security vulnerability?

Cypress encourages responsible disclosure of potential vulnerabilities. We kindly request that you act in a manner to protect our users’ data and work with us to close the vulnerability prior to disclosing it to others. Please do not submit security vulnerabilities as issues, but instead report them using the button above or directly via email at [email protected].

Please note that Cypress’ implementation of email spoofing, DKIM, SPF, and DMARC is by design. Please do not hesitate to report any of the other following other types of issues:

  • Injection vulnerabilities

  • Authentication or session problems

  • Improper access to sensitive data

  • Broken access controls

  • Cross-site scripting

  • Anything from the OWASP Top 10 List

What does Cypress store and what is it used for?

Cypress respects individual and organizational privacy and we limit the amount of information we collect. Personal information is limited to email address, first name, and last name and used for the purposes of authentication and authorization (role based access) within Cypress Cloud.

Cypress Cloud also stores test content and test metadata which is composed of test results, test durations, screenshots, logs of test runs, and/or screen replays of the tests run by the users within the organization. Data about tests and test metadata are used to improve the service and test content is not shared with third parties.

You, the customer, own and are responsible for your test content. We trust that customers will make decisions about the appropriateness of data to use in testing and will avoid use of PII, PHI, or other types of protected information. Cypress makes commercially reasonable efforts to protect confidentiality of information that is provided to Cypress Cloud.

Please note that any test content stored in a Public Project will be available and accessible publicly.

Does Cypress require access to my systems or source code?

No. The open-source Cypress app runs locally within the customer environment, typically on a user’s computer and/or within a continuous integration pipeline, and executes tests written and owned by the customer. Test results and metadata are sent to Cypress Cloud for the purposes of quickly viewing the current state of your application(s), identifying problematic trends through rich analytics, and diagnosing unreliable tests with the support of tools like Flaky Run Detection and Analytics.

Where is my test content stored and how is it protected?

All test content and test results are encrypted in transit with TLS 1.2 or greater and at rest using AES-256 or greater. Data is stored within the boundaries of the United States of America (USA) in a multitenant environment which employs technical controls that logically separate data.

How is my data protected in-transit and at-rest?

All data is encrypted in transit and at rest. Data in transit is encrypted using industry standard cipher suites which promote security and performance while being protected with TLS1.2 or greater. All data at rest is encrypted using AES-256 or greater.

Does Cypress Cloud offer SSO?

Yes! Cypress Cloud supports federated authentication for Google and GitHub at no additional cost. Enterprise SSO (SAML2) is available to Business and Enterprise customers.

Does Cypress Cloud support Role Based Access Control (RBAC)?

Yes! Cypress Cloud supports multiple user roles with varying levels of permissions.

How can I keep Cypress up-to-date?

The Cypress app does not automatically update. We recommend that users install and run the latest version of Cypress at all times to maintain current on new features, enhanced performance, and improved security. Updated container images and npm packages are made available with each release. Customers can expect minor version updates approximately every two weeks throughout the year.

Does Cypress need access to a customer's network or systems?

Cypress Cloud services do not need access to the customer’s network. The Cypress app operates internally on a customer’s network and then, optionally, sends test results to Cypress Cloud. The only thing sent to Cloud is what the customer chooses to send. At no time do the Cypress Cloud services reach in to the customer’s network.

Does Cypress use FTP?

No. Cypress does not use encrypted (FTPS) nor unencrypted (FTP).

In the event of a disaster, what is the estimated time of resumption for Cypress Cloud?

Cypress has internal RTO (Recovery Time Objective) and RPO (Recovery Point Objective) targets of twenty-four (24) hours.

Has Cypress experienced a security breach in the past three years?

No. To date, Cypress has not experienced a security breach.

Are customers permitted to perform security testing against Cypress?

No. Cypress performs extensive SCA, SAST, DAST, and third-party penetration testing regularly and does not permit individual customer security testing against Cypress services.

Does Cypress offer a Bug Bounty program?

No. Cypress does not currently offer a Bug Bounty program with or without financial rewards. However, Cypress does encourage responsible disclosure of potential vulnerabilities to secur[email protected]. We ask that individuals refrain from submitting potential security vulnerabilities through GitHub issues to ensure confidentiality.

Does Cypress provide availability data publicly?

Yes! Cypress maintains a publicly available status page at www.cypressstatus.com. All availability and relevant information will be published there in near real time.

Does Cypress store any data on removable media?

Cypress does not use removable media to store, process, or transfer test content.