New: control unwanted traffic with IP Intelligence →

Security, Privacy, and Compliance

Working with ngrok means working with a vetted, secure solution & seasoned team who understands security

Security hero

Trusted by over 5 million developers and recommended by category leaders

twilio logoslack logohackerone logogithub logookta logo

Security at ngrok

The ngrok service is designed, built, maintained, monitored, and regularly updated with security in mind. We use the shared security responsibility model, a framework adopted by many cloud providers — including Amazon AWS, Microsoft, and Salesforce — to identify the distinct security responsibilities of the customer and the cloud provider. In this model:

ngrok is responsible for the security of the ngrok service. ngrok is also responsible for providing features you can subscribe to in order to secure your services.
Our customers are responsible for securing how they use the ngrok service. This includes, for example, granting the correct permissions to users and administrators, disabling accounts and auth tokens when employees are terminated, properly configuring features required to protect your data, and keeping ngrok agents updated in our systems.

How ngrok secures its software development process

The ngrok software development lifecycle is designed with precautions to reduce security risks during code development while delivering software functionality. ngrok adopts rigorous processes and automation to ensure consistency across the development.

Access control
expand/collapse
Change management
expand/collapse
Device management
expand/collapse
Miscellaneous
expand/collapse

How ngrok secures its service

ngrok implements runtime controls at the service level to ensure the confidentiality, integrity, and availability of its service.

Philosophy

Our general philosophy for keeping our production environments secure has two main components: defense in depth and principle of least privilege.

Access control

We practice 'least privilege' access grants. Engineers get the minimum level of production access they need. Shell access to production machines uses industry best practices of SSH certificate authorities to grant time-limited access in extraneous circumstances.We keep audit logs of all grants to access production machines. Services that manipulate cloud resources are granted least privilege access grants via an associated 'Role' they assume to perform those operations.

Data encryption

All data is encrypted at rest. This includes databases, host filesystems, network-mounted file systems, and data sent to data warehousing services. All secrets and keys uploaded by users are further encrypted at the application layer with keys that only we control.All internal secrets used by ngrok are stored encrypted at rest with key rotation using industry secret key storage provided by HashiCorp Vault. For API keys, credential tokens, and passwords, we only keep one-way salted hashes of users' credential tokens.

Resources

Recommendations for using ngrok securely

This guide will walk you through recommendations for ensuring you are using ngrok securely.

Learn More

Best security practices on developer productivity

Learn the best practices to secure developer teams using ngrok while leveraging your company security stack.

Learn More

ngrok
Trust portal

Learn more about ngrok's security controls. Access our compliance certifications and attestations.

Learn More

ngrok
Service status

Review ngrok's real-time and historical data on system performance.

Learn More

Is ngrok safe?

ngrok is not a malware, virus, or malicious tool. ngrok is an application used for tunneling, unfortunately that makes ngrok an attractive target for bad actors trying to phish credentials or create back doors into private networks. This means ngrok could be flagged by antivirus software. How can you use ngrok safely?

Check out our guide on how to secure ngrok.

If you see something, say something. We proactively monitor and ban any accounts we identify that are involved with these attacks, and also work with 3rd parties that report malware and abuse via abuse@ngrok.com and our abuse APIs.

If your antivirus software is marking ngrok as a virus, please report it as a false positive.

For more information, read about how we combat abuse on the platform.

privacy illustration

Data Sovereignty

Our customers can use ngrok through our public service or our private offering for complete control of their data and processes. For more information about our private offering, contact our sales team and read our primer about data at ngrok.

Contact Sales

Compliance

ngrok is SOC 2 Type 2 compliant.

The SOC 2 Type 2 attestation certifies that ngrok's security processes and operations are in place and that we follow these processes and operations on a daily basis, meeting AICPA's trust services criteria for security.

ngrok provides access to the SOC 2 reports as well as all third party security upon request at the ngrok security and trust portal.

Have security needs like HIPAA? Talk to us

compliance illustration