As a cloud-native solution, security, trust, and reliability are imperative to our success. Onshape has an internet-based infrastructure, so we prioritize security by enforcing robust measures. This includes end-to-end encryption, continuous monitoring, and regular compliance checks with industry standards. Our security framework is meticulously crafted to protect data at every stage of product design and collaboration. We ensure that your work stays secure, private, and accessible solely to authorized personnel. This allows you to concentrate on what truly matters: designing and building exceptional products.
With Onshape's permission settings, users have complete control over who can edit, view, and/or share their data, ensuring intellectual property integrity. Onshape keeps your data safe while by facilitating seamless, file-free collaboration by making use of URL/hyperlink based sharing. This cloud approach to sharing data improves workflow efficiency while protecting intellectual property. Documents are kept on secure servers, and permissions can be adjusted or revoked instantly.
Onshape completes a SOC 2, Type 2 audit annually, which certifies compliance with the American Institute of Certified Public Accountants (AICPA) SOC 2 Trust Services Criteria requirements. This delves into security policies, communication protocols, software design, data access controls, risk mitigation strategies, and more. This is a rigorous external audit that assesses whether a company's systems and processes are properly designed and adhered to.
A copy of Onshape’s SOC 2 report is available under NDA.
Onshape uses a third-party payment processor to handle transactions securely. Credit card details are encrypted and sent directly to the processor from your device, bypassing Onshape’s servers. This ensures your sensitive financial information is not stored by Onshape. The processor adheres to PCI standards, helping maintain payment security and compliance.
Onshape prioritizes security for all online interactions by mandating HTTPS across our public website, community forums, and other services. Comprehensive audits on SSL/TLS configurations, including certificate validation, issuing authorities, and cipher suites, are regularly conducted. Automated tools continuously assess our servers for vulnerabilities, and HSTS is employed to guarantee browser interactions occur strictly over secure connections.
Onshape encrypts all documents with AES-256 and utilizes TLS v1.2 for all communications between your web client or mobile device and our servers. We block weak cipher suites while prioritizing the strongest available for secure, robust client-service interactions.
Onshape contracts with a third-party testing service that employs a global team of professional security researchers. These researchers are paid to find and report security vulnerabilities in our service. This security testing is ongoing and continually validates the stream of Onshape’s service updates against existing and newly announced threats
We rapidly investigate all reported security issues. If you believe you've discovered a bug in Onshape's security, please get in touch with us at security@onshape.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Onshape.
Onshape never stores customer passwords. We use strong, one-way, cryptographic hash functions so that even if our internal password storage is compromised, the original passwords cannot be recovered.
Our PGP key can be found at the link below. You can use this key to encrypt your communications with Onshape or verify signed messages you receive from Onshape. (Unfamiliar with PGP? Have a look at GPG, and start by importing a public key.)
This informational guide helps engineers partner with IT on their journey to take their CAD to the Cloud. Download it to learn how Onshape handles security, privacy, data protection, administration, enterprise integration and more.