🚀 Build your Minimum Viable Platform (MVP) with our playbook. Start now
close icon
Products
Product Overview
Arrow Right
Use them all or combine them.
Products
Platform Orchestrator
A graph-based backend for your IDP. Automate and standardize at scale.
Portal
The frontend of your IDP. Service catalog, scaffolding and self-service.
OSS BUILDING BLOCKS
Score
Code-based interface of your IDP. A familiar interface for developers.
Resource Definitions
Pre-configured infra modules. Easily integrated with your existing IaC.
Reference Architectures
Blueprints for enteprise-grade Internal Developer Platforms.
Features
Environment Management
Developer Self-service
RBAC and Governance
Deployment Management
Insights & Engineering Intelligence
Cost control
Infrastructure Orchestration
Cluster & GPU Orchestration
Ephemeral Environments
Solutions
Build an MVP in days
Arrow Right
A structured approach to get you to your
minimum viable platform in four phases.
Users
Application Developers
True self-service. No waiting times
Infrastructure and Operations
Configure once. Enforce everywhere
Security
Build the DevSecOps platform for you
Executives
Build a leading organization. Cut time to market.
Platform Engineers
Infrastructure Platform engineers
Build a backend for everyone
DevEx Platform Engineers
Craft amazing DevEx flows
Use CASES
Build an IDP
Humanitec is your one stop shop for an enterprise ready IDP
Tame Kubernetes complexity
Dynamically generate Helm charts with every deployment
Enable developer self-service
Kill waiting times. Self-serve the tech you need to run your apps
Eliminate ticket ops
No more ticket ops and repetitive tasks, slash lead time
Nail your Kubernetes migration
Ensure a 100% successful Kubernetes roll out and adoption
Build developer portals
Use the Humanitec Portal or integrate with any third party
Customers
Marketplace
Pricing
Learn
5 minutes IDP
Arrow Right
Build a fully functional test platform on your local machine in five minutes
Resources
Blog
Check out our latest articles and product releases
Videos
Check our video library and learn how to build a platform
ROI Calculator
What is the ROI of building a platform with Humanitec?
Whitepapers
Industry reports and benchmarking studies
Security
Learn about Humanitec's enterprise-grade security standards
Community
Events
Sign up for our weekly events or check out past recordings
Partners
Check out our ecosystem of implementation partners
Concepts
What is Platform Engineering?
Learn everything about Platform Engineering, the next evolution of DevOps
What is an Internal Developer Platform?
All you need to know about Internal Developer Platforms
Docs
Login
Book a demo
Pricing
Learn
5 minutes IDP
Arrow Right
Build a fully functional test platform on your local machine in five minutes
Resources
Blog
Check out our latest articles and product releases
Videos
Check our video library and learn how to build a platform
ROI Calculator
What is the ROI of building a platform with Humanitec?
Whitepapers
Industry reports and benchmarking studies
Security
Learn about Humanitec's enterprise-grade security standards
Community
Events
Sign up for our weekly events or check out past recordings
Partners
Check out our ecosystem of implementation partners
Concepts
What is Platform Engineering?
Learn everything about Platform Engineering, the next evolution of DevOps
What is an Internal Developer Platform?
All you need to know about Internal Developer Platforms
Docs
Login
Book a demo
Table of contents
Example H2
Example H3
Example H4
Example H5
Example H6

Security at Humanitec

To say security is important to us at Humanitec is a huge understatement. It is at the heart of everything we do, driving not only how we build and operate our platform but also shaping our daily activities and decisions as a company. Security is not just a priority for us—it is a fundamental aspect of how we conduct our business and deliver value to our users.

We understand that trust in our platform relies heavily on how well we protect your data and secure our services. To ensure we meet the highest standards, we have established a comprehensive security program. This includes collaborating with external auditors and data protection specialists, as well as implementing robust procedures to regularly evaluate risks, threats, and vulnerabilities. Our management process is designed to constantly address and adapt to evolving security needs, ensuring that our users’ data is safe at all times.

To maintain objectivity and transparency, we rely on third-party certifications and regular audits performed by external organizations. This ensures that our security practices are independently validated and meet globally recognized standards.

Our Senior Management team leads the charge in ensuring that security is embedded in every part of our organization. They are responsible for driving a culture of security awareness and ensuring that all levels of our business are equipped with the necessary knowledge and capabilities. By fostering collaboration across teams and departments, we take a holistic approach to security, guaranteeing the confidentiality, availability, and integrity of your data.

This page outlines the policies and security measures we have in place to protect the content and data hosted on our platform from unauthorized access. We are committed to providing you with transparent and comprehensive information about how we manage security.

How we protect your data

Our infrastructure runs on the Google Cloud Platform (GCP) and Amazon Web Service (AWS), both delivering infrastructure as a service with prime security capabilities.

Humanitec is SOC 2 Type II Certified

We have achieved SOC 2 Type II certification, reflecting our adherence to rigorous standards for security, availability, processing integrity, confidentiality, and privacy.

To request the full report please contact security@humanitec.com.

‍GDPR Compliance with Vanta

Humanitec ensures full compliance with the General Data Protection Regulation (GDPR) through Vanta's automated solutions. This underscores our dedication to data protection and privacy for users in the European Union.

Data storage and encryption at rest

Your data is encrypted at rest in AWS S3 buckets and GCP Cloud SQL instances. AES-256 encryption is used by default with the platform’s encryption services, ensuring your data remains safe and preserved.

Encryption in transit

All communication of your data between you, your services, and Humanitec traverses the Internet via encrypted HTTPS traffic using TLS v1.2. Data is also encrypted during transit between Humanitec and our Content Delivery Networks (CDNs). This ensures data integrity and confidentiality during communication.

Annual penetration tests

Our infrastructure, web applications, and APIs are penetration tested annually by independent external parties. Any vulnerabilities found are remediated within defined internal SLAs.

Backups

All our data, including S3 buckets and database daily backups, is replicated and encrypted at rest using AES-256 encryption with keys provided by HashiCorp Vault.

Access to data

Access to your data is highly restricted. Authorized support engineers and appropriate staff can access your data only after obtaining explicit permission, and all actions are logged and monitored.

Physical security

As a cloud-native service, Humanitec does not operate its own data centers. Physical security for servers is managed by AWS and GCP certifications. Additionally, office physical security is governed by our internal security program.

Threat detection

We continuously monitor activities using Datadog for anomaly detection and early irregularity detection.

Secure headers

To protect users from attacks, we leverage browser protections such as HTTP Strict Transport Security (HSTS).

Data retention policy

User data is retained as long as required. Our Data Retention and Data Classification Policies govern how data is managed for deletion and retirement.

How we keep our service reliable

Auto-scalable Kubernetes

To provide a reliable and seamless experience, we run all our software components in containers orchestrated by Kubernetes. This setup allows us to automatically scale resources up or down based on system demands, ensuring that our services can handle high volumes of traffic without interruptions. By using Kubernetes, we ensure that our infrastructure remains agile and responsive to your needs, regardless of the workload.

Additionally, our platform includes robust tracking and version control mechanisms. These features allow us to roll out updates and new features with minimal disruption to our services. Our microservice architecture and technology stack have been designed from the ground up to prioritize high availability, offering you a dependable platform for your operations.

Disaster recovery and business continuity

We take a proactive approach to ensuring our platform remains operational, even in the face of unexpected events. Our disaster recovery strategy is built on a foundation of redundancy and resilience. By utilizing database replication architectures, we ensure that your data is always available and accessible, even in the event of a failure.

We create frequent encrypted backups of all critical data and store them both onsite at the data center and in remote locations. This ensures that we can quickly recover and restore services in the event of an outage. Redundant components, such as multiple servers providing the same services, further bolster our ability to withstand failures.

Our hosting providers, GCP and AWS, add another layer of protection, with robust physical security and safeguards against environmental hazards. These measures allow us to maintain business continuity and deliver uninterrupted services, even under challenging circumstances.

How we keep our code secure

Vulnerability management

Code security is a continuous process at Humanitec, one that begins with identifying and addressing potential vulnerabilities. We use an internal vulnerability management tool to track and prioritize issues based on their severity and potential impact. Each vulnerability is assigned an owner, ensuring accountability and clear timelines for resolution.

Our internal Service Level Agreements (SLAs) define deadlines for fixing vulnerabilities, with progress monitored through dedicated tools. In cases where vulnerabilities require deeper analysis, we conduct post-mortems to identify root causes and implement lessons learned. This approach not only resolves current issues but also helps us enhance our processes and prevent future occurrences.

Code peer review

At Humanitec, collaboration is a cornerstone of our development process. Code peer reviews ensure that every line of code is scrutinized by multiple engineers before it is integrated into our system. This rigorous process leverages GitHub’s pull request mechanism, where team members or engineers from other departments review commits. Only after all reviewers approve a pull request does the code proceed in the development lifecycle, ensuring quality and reducing the likelihood of vulnerabilities.

Quality Assurance (QA)

Testing is an integral part of our development process, and we take it seriously. Before new code is deployed to production, it undergoes rigorous testing in a staging environment. This environment mirrors our production infrastructure but operates on a smaller scale and does not use real user data. By isolating QA processes in a separate GCP cluster, we ensure that testing does not interfere with live operations.

Secure Software Development Lifecycle

Security is embedded in every stage of our software development lifecycle. We adopt a “security by design” philosophy, which means security considerations are integral to product and architecture design. From planning and implementation to testing and deployment, we take steps to minimize risks and address potential vulnerabilities proactively.

Our engineers are held to a high standard of accountability for the code they produce. This culture of responsibility ensures that quality and security are always top priorities, leading to robust, secure, and reliable software.

How we secure our business

Security monitoring and Incident Management

We continuously monitor our systems for signs of potential security incidents. This includes tracking indicators and events that could signal vulnerabilities or breaches. Our event-alerting tools are configured to escalate issues directly to our 24/7 incident response team, ensuring swift action whenever necessary.

In addition to monitoring, we have a well-documented incident response plan. This plan outlines the steps for notifying stakeholders, escalating issues, managing incidents, and reporting outcomes. It ensures that all incidents are handled efficiently and with minimal disruption to our services.

Security awareness program

Security is not just the responsibility of a single team—it’s a company-wide commitment. Every employee and contractor at Humanitec is required to adhere to our security and data privacy policies. These policies are reinforced through training programs, ensuring that everyone understands their role in maintaining security. Our standard contracts also include confidentiality clauses, emphasizing the importance of protecting sensitive information.

Vendor security management

We work with numerous vendors and third-party providers, each of whom is carefully assessed for security risks. Our Vendor Security Assessment Questionnaire (VSAQ) is based on industry standards from the Vendor Security Alliance (VSA) and Cloud Security Alliance (CSA). Vendors who access confidential information must comply with strict security and data privacy requirements, ensuring that our standards are upheld across all partnerships.

Multi-factor authentication

To enhance security, we enforce multi-factor authentication (MFA) across all critical systems. MFA combines something you know (like a password) with something you have (like a code from an authentication app). This additional layer of protection significantly reduces the risk of unauthorized access. Employees, contractors, and customers are all encouraged to use MFA for added security.

How you can protect your data

Roles and permissions

We strongly advocate for the principle of “least privilege” when it comes to managing access to your data. By assigning roles and permissions, you can control who has access to what, minimizing the risk of unauthorized actions. This approach not only protects sensitive information but also reduces the potential damage in the event of a security breach.

HTTPS

While Humanitec enforces HTTPS for all communications between our platform and your users, we recommend that you also enforce HTTPS for your own websites and applications. This ensures that all data exchanged between our services and your users’ devices is encrypted, maintaining integrity and confidentiality.

In case of a security incident

Despite our best efforts, incidents can happen. At Humanitec, we are prepared to respond swiftly and effectively. Our incident management process is designed to minimize impact, restore services, and address the root cause.

If personal data is involved, we comply with GDPR requirements, including notifying affected customers and relevant authorities without undue delay. Our security team is always available to provide assistance and can be contacted at security@humanitec.com.

Fork our pre-packaged platform architectures as code and start building
Select your cloud provider
Fork AWS repo
Fork GCP repo
Fork Azure repo
Join our Newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
WHY
Why Platform EngineeringWhy Internal Developer PlatformWhy Humanitec
PRODUCT
Product overviewPlatform OrchestratorScorePortalIntegrationsPricing
Features
Environment managementDeployment managementInfrastructure orchestrationDeveloper self-serviceRBAC & governance
Use Cases
Use cases overview
Kubernetes migration
Kubernetes complexity
Eliminate ticket Ops
End-to-end self service
Build developer portals
Build an IDP
Company
About Humanitec
Careers
Hiring
CustomersProfessional ServicesPartnersContact
Resources
DocsBlogWhitepapersFAQStart free trial
Community
SlackEvents
Reference ARCHITECTURES
AWS
Azure
GCP
Red Hat OpenShift
©2025 Humanitec. All Rights Reserved.
ImprintSupportSecurityStatusPoliciesTechnical DefinitionsWhistleblowing