We have completed a full external audit of our security practices

A little background on security at Streamlit

Security has been integral to how we have built Streamlit from day one.

Our engineering team has worked with some of the best security talent in the industry, and these experiences have shaped how we build and design secure software. That’s why our product works well with your existing security protocols.

Streamlit apps are the code that you write, and Streamlit Cloud runs that code to serve your apps to your users. Streamlit Cloud stores only a copy of your code and none of your data. Since you control both the code and the data sources, it’s very easy to implement your preferred security practices. On our end, we always uphold industry best practices for encrypting data in transit, securely storing authentication credentials, providing SSO integration for accessing the app, and much more.

Today we’re thrilled to announce that we’ve completed a full external audit of these security practices and Streamlit Cloud is now SOC 2 Type 1 compliant.

In this article, we’re going to share with you what SOC 2 is, why it matters, and how we comply with it.

What is SOC 2?

Service Organization Control (SOC) 2 is a SaaS industry standard that shows customers if a business has effective security controls. The American Institute of CPAs (AICPA) has developed SOC 2 to define how businesses should manage customers' data. Basically, it was designed to make you feel safe about the information you share with any business.

The typical SOC 2 audit is based on five Trust Services Criteria: security, availability, processing integrity, confidentiality, and privacy. When a company undergoes the SOC 2 audit process, it can choose which of the five to focus on. We chose to focus on security and confidentiality.

After the audit, the company gets either Type 1 or Type 2 SOC 2 report that reflects its unique business practices. Type 1 covers compliance at a given moment. Type 2 covers it over a longer period of time.

On October 31st, 2021, Streamlit Cloud has been certified as SOC 2 Type 1. You can request the full audit report by emailing us at support@streamlit.io.

Why is SOC 2 important?

SOC 2 is important because your management needs it. Or your security team. Or, your organization is SOC 2 certified, but to use a new service that might touch your sensitive data they require your vendors to be SOC 2 certified.

This certification lets us be an easy-to-approve vendor for you.

If you're new to Streamlit, or if your compliance questions have stopped you before from signing up, we hope this new certification gives you more confidence in testing out Streamlit Cloud for securely sharing apps within your organization.

Also, every SOC 2 report has “your responsibility” and “the provider’s responsibility” sections. One of the key responsibilities we want to call out is that you must connect to your organization’s services securely. Often, this is as simple as storing your authentication secrets by using our Secrets feature to connect to your data store via TLS.

You can find guidance on how to connect to various data stores in our docs, and you can always reach us at support@streamlit.io if you have any questions. We’re here to help you every step of the way. 🙂

What does it mean for you?

You’ll continue to benefit from our investment in security and data privacy as we keep adding even more security features and options to the product. You can also read about our security approach on our privacy policy page and in our documentation on trust and security.

Have questions? Drop us an email at support@streamlit.io.