Security by design
Fully secure networks
Deploys into your secure networks
Develocity can be deployed to secure networks on-premise or in your cloud environment, co-located with your CI infrastructure for low-latency remote cache access. You can also deploy it into air-gapped networks.
Cloud-native security
Adheres to cloud-native security best practices
Designed around Kubernetes security best practices for secret management and service accounts, Develocity fits perfectly into a cloud-native security architecture.
Secure development
Built with hardened development processes
All development for Develocity follows a rigorous security methodology, including continuous vulnerability scanning, dependency analysis, artifact integrity checks, and regular third-party penetration testing.
SOC2 Compliant
SOC2 Type 2 Compliant
We work with independent auditors to maintain a SOC2 Type 2 report, which objectively certifies our controls to ensure the continuous Security and Confidentiality of our customers' data. Review our reports and other documentation in our Trust Portal.
Key Capabilities
Privacy is at the heart of Gradle
Privacy by design for new product features and internal processes.
Compliance with Data Protection regulations in all countries we operate in, including GDPR and CCPA.
Minimal data sharing required. Customers self-host Develocity and only share contact information with us for Customer Support purposes.
Data Processing Agreement Transparency Report, and other important information are available at gradle.com/data-protection.
Organizational security
Trust Portal
- Get copies of our SOC2 Type 1 and 2 reports and other relevant Security Policies from our Trust Portal at trust.gradle.com
SOC2
- Gradle Inc. holds a SOC2 Type 2 report covering our on-premise delivery of Develocity and the support we provide as part of our service.
- It also covers Develocity instances that are part of the Open Source Software Projects ‘Revved up by Develocity’ that we host and manage in our AWS Infrastructure
- Employees review and acknowledge a range of policies as a condition of their access and employment.
Dedicated Security Team
- Led by our Head of Security, the team comprises IT, Cloud, and Application Security experts.
Access Control
- We're a remote-first company with stringent Conditional Access policies to ensure only company-managed, secure devices that comply with our policies can access our internal resources.
- FIDO2 Security Keys are enforced for all employees.
- Access to customer data is on a need-to-know basis and follows the principle of least privilege.
HR Security
- Background checks in accordance with local laws are carried out on all new employees and contractors.
- Confidentiality agreements are in place with all employees and contractors.
IT Security
- Workstations are all company-owned, managed, and locked down to CIS baselines, including encryption, screensaver, SSO integration, Endpoint Detection and Response, remote wipe capabilities, and audit logging.
- BYOD mobile devices are managed and secured via Mobile Device Management technologies, which enforce encryption, data isolation, passcodes, and remote wipe capabilities.
- The security team is staffed with full-time IT security engineers.
Security Awareness
- Employees must complete Security Awareness and Data Protection training upon hire and annually thereafter.
- Weekly automated phishing simulations are conducted to train employees to spot and report malicious emails.
- Engineers carry out annual Secure Code Training.
Application Security
- Annual secure code training for all engineers, including the OWASP Top 10 security risks
- Production data is never used outside of production environments
- Security review on relevant designs and implementation
- Static Application Security Testing (SAST)
- Vulnerability management, including code and deployment dependencies (SCA)
Vulnerability Management
- Workstations and browsers are patched weekly
- Servers are patched monthly
- Constant vulnerability scanning through agent, web, dynamic, and static testing
- Software composition analysis, including code and system-level dependencies
- Develocity penetration tested with each major release, four times a year
- Responsible disclosure policy and bug bounty program
Physical Security
- Gradle is a remote-first company with the vast majority of employees working remote on company-provided equipment. Screensavers, encryption and hardware security keys are enforced.
- Gradle uses AWS data centers certified as ISO 27001, PCI DSS Service Provider Level 1, and/or SOC 2 compliant. Learn about Compliance at AWS.
- AWS infrastructure services include backup power, HVAC systems, and fire suppression equipment to help protect servers and, ultimately, your data. Learn more about Data Centre Controls at AWS.
- AWS on-site security includes security guards, fencing, security feeds, intrusion detection technology, and other security measures. Learn about AWS physical security.
Cloud Security
- We have a full range of cloud-native Security tooling in place and actively monitor it to detect and prevent threats in our cloud environment
- Resources are managed through IaC and go through security policy and quality checks before committing
- Annual infrastructure penetration tests
- Encryption at rest and in transit
Vendor Management
- Vendors are reviewed before acquisition for compliance with our Vendor Management Policy, and critical vendors are reviewed annually.