Skip to content

Compliance, Security, and Privacy

In all areas of the Coherence software development life cycle, from the infrastructure to the application, we apply best practices like minimum privileges, separation of roles, and effective monitoring. The Coherence Control Plane is hosted on Google Cloud Platform (GCP).

Coherence achieved SOC 2 Type II compliance (with Vanta) after completing a validation process that included:

  • A risk assessment
  • Employee education and training
  • Information security auditing (SOC 2 Type I and II, HIPAA)

Coherence operates a program for responsible disclosure. A copy of the SOC 2 report is available upon request and NDA.

Data access

Coherence accesses your data from two important services: your source provider (for example, GitHub, GitLab, or Bitbucket) and your cloud provider (for example, GCP, AWS, or Azure).

Source-provider access

GitHub

We use a GitHub app installed on Coherence-enabled repos to receive webhooks for push events and to create check runs to communicate CI status. We can also support a Personal Access Token (PAT) if you prefer, please contact Coherence Support to set one up.

Users access the Coherence GitHub app via OAuth and receive repo-scoped tokens that Coherence stores and uses to authenticate users automatically when they submit provisioning tasks or deploy from the Coherence UI.

Coherence accesses your source code via automated systems in the process of building and deploying applications. Any copies of source code are only stored temporarily while they are being processed (they are deleted at the end of the jobs), and our employees do not have direct access to these copies. All job processing is conducted on ephemeral instances that are routinely replaced and do not have permanent storage, further reducing the risk of accidental access to your source code.

Excepting emergency procedures for bugs or other incidents, your source code will not be seen by Coherence employees or stored on Coherence systems.

Cloud-provider access

You are always in control of the role that this account has, and can audit or remove access at any time via your cloud provider's IAM tools. This service account is used to manage resources in your cloud account on your behalf, and generates further service accounts for more granular use, as and where appropriate. Wherever possible, we use best practices like Workload Identity to minimize key handling and systems like Cloud KMS to encrypt the keys that Coherence does store when at rest.

Excepting emergency procedures for bugs or other incidents, Coherence employees do not have the permissions to act as the service account you grant access to. We encourage you to use the auditing tools available in your cloud platform to monitor all your important systems for unexpected access to production data or configurations.

It's important to note that you can grant access to new "test" accounts in either system when first testing Coherence. You don't need to connect to your current cloud projects and data until you want to use existing databases in those projects.

GCP

On GCP, you grant a Coherence-managed service account (that we generate uniquely for each application) an "Owner" role (or another custom role with enough permission to manage your account) in your cloud IAM controls.

AWS

On Amazon Web Services (AWS), we create an IAM user in an account that we control. You then grant this IAM user permission to manage resources on your behalf.

Vendor risk

We know that Coherence, when used fully, plays a critical role in your software development process. Choosing a vendor that will become a daily part of your engineering workflow is not a decision to be made lightly.

We break the risk of choosing Coherence as a vendor into three parts, and address each below:

  • Company solvency: Will we still be around in X years?
  • Impact radius: If we went away overnight, would your company stop running?
  • Security and privacy risk: Is choosing Coherence going to get your company hacked?

Company solvency

Coherence is founded by an experienced team of tech leaders and funded by A-tier venture capital firms and accomplished angel investors. We have substantial runway remaining and strong prospects for continued growth and financing. Each customer we add makes our company stronger; so by using Coherence, you're reducing the vendor solvency risk.

Impact radius

We have designed our system from the ground up to minimize the risk that Coherence's actions could pose to your uptime. In fact, it's one of the strongest reasons to choose Coherence over an alternative such as a Platform-as-a-Service. If we were to vanish overnight with no warning, nothing would happen to your deployed environments or resources, and your customers would not notice that anything had changed. Ultimately, Coherence sits between your developers and your cloud, not between your cloud and your users.

  • Environments without custom domains, which use SOMETHING.cncsites.com URLs, depend on the DNS systems and domain registration for cncsites.com remaining available. You can apply a custom domain to each environment on a per-environment basis in Coherence, and it's unlikely that a customer-facing environment would use such a domain.

That said, we want to highlight both the gap that our disappearance would create and the steps we'd take if we chose to wind down. To state it clearly: We do not intend to disappear with no warning, but rather to work as your partner in the unlikely event that this becomes necessary.

  • The CNC project enables you to seamlessly migrate off Coherence in the event of our dissolution. It also makes Coherence the least locked-in option among developer platforms in general. With CNC, the core provision/build/deploy logic of Coherence is in an open-source, MIT-licensed, infrastructure-as-code framework that you can customize and run anywhere. If necessary, all you'd need to do to get your environments running outside Coherence is use something like this CI/CD Workflow.

Security and privacy risk

As outlined in the rest of this document, Coherence takes every commercially reasonable measure to architect our systems for low risk to your data and customers. You always remain in control of our access to your cloud systems and can audit our activity continuously using systems we do not control. Additionally, you can revoke our access at any time.

Responsible disclosure

Please report any bugs, vulnerabilities, publicly available or hosted confidential information, or other relevant information to security@withcoherence.com. We'd appreciate it if you granted us private notice at that address before any public disclosure.

Terms

You agree to two different terms and conditions when using Coherence:

  • The Terms of Use and Privacy Policy on withcoherence.com that govern how we use information collected on our public marketing site and associated pages.
  • The Trial Use Agreement that governs our use of the application at beta | app.withCoherence.com and the information we collect in the course of providing the services to you and your team. You accept these terms when you register your team on our platform. If you have any questions or concerns about the agreement, please reach out to hello@withcoherence.com and we'll be happy to discuss them.