Security Update from Sauce Labs

Posted Nov 11th, 2014

At Sauce Labs, we take security seriously. We recognize we have a responsibility to protect customer data, and we've designed our systems with that responsibility in mind. In this post, we'd like to take the time to explain some of our practices.

We work with large, high profile clients whose security policies have required stringent implementation of industry-standard security measures. This enables them to meet strict compliance needs including Sarbanes-Oxley, the Affordable Care Act, HIPAA, and the Patriot Act. We use a variety of security technologies and procedures to help protect customer information from unauthorized access, use, or disclosure. Most significantly, we conduct quarterly security audits and penetration tests with a third-party security firm. In information security, as in software development, frequent testing is critical to achieving high quality. Beyond this, we also consider some key scenarios in our system architecture:

How are customer test sessions and assets protected?

  • Each session is run within our own secure data center, which is optimised for quickly booting and destroying VMs.
  • Each test runs on a pristine VM, booted from a read-only image and is completely destroyed at test end. VMs are never reused.
  • Our testing VMs run in-memory. No VM data is written to long-term storage media (SSD, HDD, tape, etc.).
  • We use audited and widely trusted third-party storage services for test assets (e.g., videos and screenshots).
  • Our testing VMs are isolated so they can not see traffic from one another.
  • Our testing VMs do not have public addresses.

How are customer records protected?

  • Unsuccessful attempts to authenticate are logged and rate limited.
  • Passwords are stored as bcrypt hashes and never logged.
  • Database access is firewalled and requires authentication.

Additionally, these are some general policies and practices we maintain to secure customer data:

  • Physical access to our hosting facilities is limited to on-site technicians (at our request) and approved Sauce Labs staff. Biometric scanning, security camera monitoring, and 24/7 onsite staff provide protection against unauthorized entry. Our facilities are certified to either SOC2 or SSAE16 SOC-1 Type II Certified standards. The facilities are also SOX, PCI, and EU Safe Harbor ready.
  • Authenticated web sessions with Sauce Labs are always done over HTTPS. We immediately respond to new security threats (e.g., Heartbleed, POODLE, Shellshock, etc.).
  • No credit card details are stored on our servers.
  • Dedicated firewalls are used to block unauthorized system access.
  • Systems access is logged for auditing purposes.
  • We abide by stringent internal password policies and use two-factor authentication.

If you have any remaining questions regarding our security efforts, do not hesitate to reach out at You may also be interested in our security whitepaper.

Written by

Steven Hazel


Software Testing