Security processes and secure data management

CloudBees platform for SDM is a preview, with early access for select preview members. Product features and documentation are frequently updated. If you find an issue or have a suggestion, please contact

CloudBees has a dedicated operations team that manages the CloudBees production environment and other environments within the CloudBees infrastructure.

Production data and infrastructure access

Production data and infrastructure for CloudBees platform for SDM are housed in a production environment accessible only to operational team members and lead CloudBees platform for SDM product engineers. This is a very small, core group.

Code deployments and quality checks

All commits to the CloudBees platform for SDM codebase have to go through a pull request review by at least one other team member before being merged into the master branch.

Deployments are done automatically by the continuous integration system. Only the CI system has the credentials to deploy to the staging and production environments.

Data retention policy

At present, data is stored in perpetuity. A CloudBees Operations engineer with the correct permissions can purge data as a manual action on request.

Data deletion policy

At present, no data is deleted. You can request data removal by contacting CloudBees.

Passwords and secrets

No passwords or security credentials are stored in the source code. All credentials are securely stored in a secrets management system. The production infrastructure reads these credentials dynamically at startup. Only the product infrastructure has the credentials to read this data from Vault; engineers do not.

Multi-tenancy environments and record-level isolation

CloudBees platform for SDM has been architected to support a multi-tenancy environment that uses record-level isolation so that data in each row is specific to an account in the database. Other customers cannot search or view your data. Customers do not have direct access to their data and can only view their own information via the CloudBees platform for SDM user interface.

For details about CloudBees' data privacy policy and security policy, review the CloudBees Terms of Service at

Automated security scanning practices

CloudBees product teams use SonarQube to perform routine static analysis security scanning. SonarQube is used to scan the front-end JavaScript repository.

This is done on each merge to the master branch of the CloudBees platform for SDM front-end repository. The SonarQube quality profiles and gates have been tuned for each project to help separate the signal from the noise.

CloudBees platform for SDM also uses WhiteSource to scan every deployment to detect and prioritize work on security issues found in open source components, as well as keep our Software Bill of Materials up to date.

How the CloudBees platform for SDM service is hosted

The CloudBees platform for SDM service is hosted in a Virtual Private Cloud in Amazon Web Services (AWS) resources from one of Amazon’s data centers in the United States, currently in Amazon AWS Zone US-East-1.

Data is stored in PostgreSQL and encrypted at rest. Communication to the Elasticsearch cluster is over HTTPS, and the ports are only open to the services in the CloudBees Virtual Private Cloud.

How data is encrypted in transit and at rest

All information and requests are transmitted over HTTPS. Data in transit uses Transport Layer Security 1.2 (TLS1.2). Data is also encrypted at rest and in transit. All data is encrypted in transit between the end-user and the CloudBees platform for SDM; and between third-party systems, such as GitHub and Jira, and CloudBees platform for SDM.

We specify current strong cipher suites, and continue to monitor industry trends and best practices via external monitoring to ensure we’re up to date with our cipher suite listing.

Data is scoped at the organization level, and data identifiers are prefixed with an organization’s unique id, created at account creation time.

Copyright © 2010-2020 CloudBees, Inc.Online version published by CloudBees, Inc. under the Creative Commons Attribution-ShareAlike 4.0 license.CloudBees and CloudBees DevOptics are registered trademarks and CloudBees Core, CloudBees Flow, CloudBees Flow Deploy, CloudBees Flow DevOps Insight, CloudBees Flow DevOps Foresight, CloudBees Flow Release, CloudBees Accelerator, CloudBees Accelerator ElectricInsight, CloudBees Accelerator Electric Make, CloudBees CodeShip, CloudBees Jenkins Enterprise, CloudBees Jenkins Platform, CloudBees Jenkins Operations Center, and DEV@cloud are trademarks of CloudBees, Inc. Most CloudBees products are commonly referred to by their short names — Accelerator, Automation Platform, Flow, Deploy, Foresight, Release, Insight, and eMake — throughout various types of CloudBees product-specific documentation. Oracle and Java are registered trademarks of Oracle and/or its affiliates. Jenkins is a registered trademark of the non-profit Software in the Public Interest organization. Used with permission. See here for more info about the Jenkins project. The registered trademark Jenkins® is used pursuant to a sublicense from the Jenkins project and Software in the Public Interest, Inc. Read more at Apache, Apache Ant, Apache Maven, Ant and Maven are trademarks of The Apache Software Foundation. Used with permission. No endorsement by The Apache Software Foundation is implied by the use of these marks.Other names may be trademarks of their respective owners. Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this content, and CloudBees was aware of a trademark claim, the designations have been printed in caps or initial caps. While every precaution has been taken in the preparation of this content, the publisher and authors assume no responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.