Security at Modal
The document outlines Modal’s security commitments.
Application Security (AppSec)
AppSec is the practice of building software that is secure by design, secured during development, secured with testing and review, and deployed securely.
- We build our software using memory-safe programming languages, including Rust (for our worker runtime and storage infrastructure) and Python (for our API servers and Modal client).
- Software dependencies are audited by Github’s Dependabot.
- We make decisions that minimize our attack surface. Most interactions with
Modal are well-described in a gRPC API, and occur through
modal-client, our open-source command-line tool and Python client library. - We have automated synthetic monitoring test applications that continously check for network and application isolation within our runtime.
- We use HTTPS for secure connections. Modal forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard to ensure secure connections. Modal’s client library connects to Modal’s servers over TLS and verify TLS certificates on each connection.
- Internal code reviews are performed using a modern, PR-based development workflow (Github), and engage external penetration testing firms to assess our software security.
Corporate Security (CorpSec)
CorpSec is the practice of making sure Modal employees have secure access to Modal company infrastructure, and also that exposed channels to Modal are secured. CorpSec controls are the primary concern of standards such as SOC2.
- Access to our services and applications is gated on a SSO Identity Provider (IdP).
- We mandata phishing-resistant multi-factor authentication (MFA) in all enrolled IdP accounts.
- We regularly audit access to internal systems.
- Employee laptops are protected by full disk encryption using FileVault2, and managed by Secureframe MDM.
Network & Infrastructure Security (InfraSec)
InfraSec is the practice of ensuring a hardened, minimal attack surface for components we deploy on our network.
- Modal uses logging and metrics observability providers, including Datadog and Sentry.io.
- Compute jobs at Modal are containerized using runc, and we are actively integrating virtualization using gVisor, the sandboxing technology developed at Google as the engine for Google Cloud Functions, and Cloud Hypervisor, the open source Virtual Machine Monitor for modern cloud workloads.
- We conduct annual business continuity and security incident exercises.
Vulnerability Remediation
Security vulnerabilities directly affecting Modal’s systems and services will be patched or otherwise remediated within a timeframe appropriate for the severity of the vulnerability, subject to the public availability of a patch or other remediation mechanisms.
If there is a CVSS severity rating accompanying a vulnerability disclosure, we rely on that as a starting point, but may upgrade or downgrade the severity using our best judgement.
Severity: Timeframe
- Critical: 24 hours
- High: 1 week
- Medium: 1 month
- Low: 3 months
- Informational: 3 months or longer
SOC2
As of May 17th, 2023 we are preparing for a SOC2 Type I audit, and expect to have SOC2 finalized by end of June 2023.
PCI
Payment Card Industry Data Security Standard (PCI) is a standard that defines the security and privacy requirements for payment card processing.
Modal uses Stripe to securely process transactions and trusts their commitment to best-in-class security. We do not store personal credit card information for any of our customers. Stripe is certified as “PCI Service Provider Level 1”, which is the highest level of certification in the payments industry.