Onshape enables you to grant permissions when you share your private documents with other users. These permission levels provide you with fine-grained control over the actions a specific user who you share with can undertake in the shared document:
Communication between Onshape’s cloud servers and users’ web browser clients and mobile devices is always encrypted, however if documents are shared with users that have malicious intent, they could by manual or automated means reproduce the documents’ data for their own purposes irrespective of the permissions you assign. For example, Onshape cannot prevent receiving users from taking screenshots, nor can Onshape prevent attempts to reverse engineer information sent to the browser or mobile client.
As with all important company or personal data, Onshape recommends that you exercise caution at all times when sharing and that you limit permission levels to the minimum necessary. In highly sensitive situations where you are concerned about the behavior of the recipients, you should consider copying the data to another Onshape document, defeaturing the data, sharing the data in only a tessellated format, or other techniques to remove detailed information.
For more on the specifics of sharing in Onshape, click here.
Onshape has achieved a SOC 2, Type 2 certification using the AICPA’s Trust Service Criteria for security, availability and confidentiality. A copy of Onshape’s SOC 2 report is available under NDA.
Onshape uses a third-party payment processing service. Credit card information is encrypted in your browser or mobile client and sent directly to this service. Credit card information is not transmitted to Onshape’s servers and is not stored by Onshape. Our payment processing service is PCI compliant and our use of their service preserves that PCI compliance.
Onshape requires HTTPS for all services, including our public website and our community forum. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use automated tools to test our live servers for susceptibility to new and existing SSL/TLS vulnerabilities. We use HSTS to ensure browsers interact with Onshape only over HTTPS.
All Onshape documents are saved on encrypted storage with AES-256. All communication between our internal compute servers and the internal databases holding your Onshape documents uses TLS v1.2. We block weak cipher suites and prioritize stronger ones for communication between your client and our service. We only utilize very strong cipher suites between our internal servers.
Onshape never stores customer passwords in the clear. We use strong, one-way, cryptographic hash functions so that even if our internal password storage is compromised, the original passwords cannot be recovered.
Onshape contracts with a third-party testing service that employs a global team of professional security researchers. These researchers are paid to find and report security vulnerabilities in our service. This security testing is ongoing and continually validates the stream of Onshape’s service updates against existing and newly announced threats.
We rapidly investigate all reported security issues. If you believe you've discovered a bug in Onshape's security, please get in touch with us at email@example.com (optionally using our PGP key at the bottom of this page). We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Onshape.
Our PGP key is below. You can use this key to encrypt your communications with Onshape, or verify signed messages you receive from Onshape. (Unfamiliar with PGP? Have a look at GPG, and start by importing a public key.)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
-----END PGP PUBLIC KEY BLOCK-----