Compliance, Security and Privacy

In all areas from infra to application, we apply best practices like minimum privileges, separation of roles, and effective monitoring. Beginning in the end of 2022, we intend to maintain a thorough third party accreditation program, including:

  • Risk Assessment and Mitigation
  • Penetration testing and vulnerability scanning
  • Employee eduction and training
  • Information Security Auditing (e.g. SOC2, ISO27001, HITRUST)

Data Access

Coherence has access to 2 important services, your source provider (github, gitlab, bitbucket) and your cloud provider (GCP, AWS, Azure, etc...)

  • On github, we use personal access tokens (scopes repo and read:user) to identify each user when they use a workspace or configure and environment. We also use a github app installed on coherence-enabled repos in order to receive webhooks for push events and create check runs to communicate CI status.
  • On GCP, you grant a coherence-managed service account (that we generate for uniquely for each application) an "Owner" (or otherwise a custom role which still requires enough permission to manage your account) in your cloud IAM controls. You are still in control of what role this account has and can remove access at any time. This account is used to manage resources in your cloud account on your behalf, and generates further service accounts for more granular use as/where appropriate. Wherever possible, Coherence uses best practices like Workload Identity to minimize key handling as well as systems such as Cloud KMS to encrypt what keys we do store when at rest

It's important to note that you can grant access to new "test" accounts in either system when first testing Coherence - you don't need to connect to your current cloud projects and data until you want to use existing databases in those projects.

Responsible Disclosure

Please report any bugs, vulnerabilities, publicly available/hosted confidential information, or other relevant information to [email protected] We'd appreciate it if you granted us private notice at that address before any public disclosure.


Did this page help you?