Security

Last Modified: Feb 23, 2023

Audits and monitoring

Watershed has completed a SOC 2 Type II audit, with no noted exceptions.

Interested parties may request security documents and view up to date security monitors at our Trust Page.

We also engage an outside firm to conduct penetration tests at least annually to test the security of our web application and cloud infrastructure.

Authentication

Watershed supports Single Sign-On authentication via Google Workspace, SAML, or OpenID Connect. Other authentication options include Magic Link authentication via email and password authentication, although we recommend SSO. When we do store passwords, we use PBKDF2 hashes, and a per-password 32 byte salt generated using a Cryptographically Secure Pseudo-Random Number Generator.

Data security

We encrypt data both in transit and at rest. We use TLS 1.2+ to secure HTTP traffic, and AES-256 to encrypt data at rest in Google Cloud Storage.

Audit logs

We maintain audit logs for our infrastructure and for key actions within the Watershed product. Customers can access product audit logs for their organization via our API. Our logs are structured, and are retained for at least 30 days.

Secure SDLC

We consider security risks and tradeoffs from the beginning of the requirements definition and design process, through to implementation, deployment, and operations. We review for security concerns during our code review and pull request process, and we use automated scanners to detect vulnerabilities in open source dependencies.

Monitoring and alerting

We use a variety of tools for performance monitoring and error logging across our web application, data services, and background jobs. Alerts are configured to go to the appropriate on-call engineers.

Responsible disclosure policy

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at security@watershed.com. We will acknowledge your email within one week.

Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.

Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Watershed service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

While researching, we’d like you to refrain from:

  • Denial-of-Service (DoS)
  • Spamming
  • Social engineering or phishing of Watershed employees or contractors
  • Any attacks against Watershed’s physical property or data centers