Here at Onshape, we take security very seriously so that you and your teams can focus your time and effort on what you do best: building exceptional products. We are proud that we can provide our users with security practices that go far beyond what most traditional CAD users are able to do on their own. We hope the following summary of some of our key security practices is helpful. If you have further questions, or if you would like to share your perspectives on our approaches to securing the information you entrust to us, feel free to participate in Onshape’s community forum, or contact us at security@onshape.com.
Onshape enables you to grant permissions when you share your private documents with other users. These permission levels provide you with fine-grained control over the actions a specific user who you share with can undertake in the shared document:
Communication between Onshape’s cloud servers and users’ web browser clients and mobile devices is always encrypted, however if documents are shared with users that have malicious intent, they could by manual or automated means reproduce the documents’ data for their own purposes irrespective of the permissions you assign. For example, Onshape cannot prevent receiving users from taking screenshots, nor can Onshape prevent attempts to reverse engineer information sent to the browser or mobile client.
As with all important company or personal data, Onshape recommends that you exercise caution at all times when sharing and that you limit permission levels to the minimum necessary. In highly sensitive situations where you are concerned about the behavior of the recipients, you should consider copying the data to another Onshape document, defeaturing the data, sharing the data in only a tessellated format, or other techniques to remove detailed information.
For more on the specifics of sharing in Onshape, click here.
Onshape has achieved a SOC 2, Type 2 certification using the AICPA’s Trust Service Criteria for security, availability and confidentiality. A copy of Onshape’s SOC 2 report is available under NDA.
Onshape uses a third-party payment processing service. Credit card information is encrypted in your browser or mobile client and sent directly to this service. Credit card information is not transmitted to Onshape’s servers and is not stored by Onshape. Our payment processing service is PCI compliant and our use of their service preserves that PCI compliance.
Onshape requires HTTPS for all services, including our public website and our community forum. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use automated tools to test our live servers for susceptibility to new and existing SSL/TLS vulnerabilities. We use HSTS to ensure browsers interact with Onshape only over HTTPS.
All Onshape documents are saved on encrypted storage with AES-256. All communication between our internal compute servers and the internal databases holding your Onshape documents uses TLS v1.2. We block weak cipher suites and prioritize stronger ones for communication between your client and our service. We only utilize very strong cipher suites between our internal servers.
Onshape never stores customer passwords in the clear. We use strong, one-way, cryptographic hash functions so that even if our internal password storage is compromised, the original passwords cannot be recovered.
Onshape contracts with a third-party testing service that employs a global team of professional security researchers. These researchers are paid to find and report security vulnerabilities in our service. This security testing is ongoing and continually validates the stream of Onshape’s service updates against existing and newly announced threats.
We rapidly investigate all reported security issues. If you believe you've discovered a bug in Onshape's security, please get in touch with us at security@onshape.com (optionally using our PGP key at the bottom of this page). We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Onshape.
Our PGP key is below. You can use this key to encrypt your communications with Onshape, or verify signed messages you receive from Onshape. (Unfamiliar with PGP? Have a look at GPG, and start by importing a public key.)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFTvtBQBCAC/e6b97SwuGK3lxMPH4lg+GZEM9xQrUccxoxj0eTgBBEMBbe6v 4vTK6v6Z6y0bBGHFYiuGXmlqw/lP8+jLOQV5107i3Y1D2EO/73ntEkumFlmVISuhn 5W7qUHg7B8mKKeQq/mHlSDj3APwmy+pH2ljdWxahn/g8Be+H5AOvdGC04qU2AvuNk 6wolhDE2uoGONXsXLVdME/xEEq9XEmc0iOdcB2g03JBfLtN6E8HyGJFZJJ6+Jkutx 7OC9AH39QaU4VvLUhSUU6zzcJclV0RjvpsjclIKrg3A+7gfcvtvbuAnrqVmq79NUF 8j7HUkteY4793A5YG8rrCq7sCD52hMvx1rlxFABEBAAG0J09uc2hhcGUgU2VjdXJp 9dHkgPHNlY3VyaXR5QG9uc2hhcGUuY29tPokBVQQTAQgAPwIbAwYLCQgHAwIGFQgC 10CQoLBBYCAwECHgECF4AWIQRPGoHd/t5mFKaRedxWOhjlOiuxMwUCZB5JogUJFNIw 11DgAKCRBWOhjlOiuxM8b3CACXkCRsH/ORTETthSHaVaLfguleOz4IcpGXq0Xly1jh 12uwh5i1YvXAYOphzM/TMbnE0+cqiuOepPU/dwRvKmBhsDAvxuwdBt/V3nYXBAaUUT 133g/L7tYkpAX5rC7JZA2qH3K86O6sQYWZ9AHDvppQA3eL+8MBkxwL1Z2p6xQRN/vU 14qbNgYFfcNKNTBJbWehb1d/oXTCnpYBOE57fz10rKmbeB0Mtik4mv6DkKcYttFEwE 15e2HPU0C8dBnsDKhGdxlcrKu0Kr9dmm1A42/AcxDnTmSuFk6ZBrRtVE6xXAkzR4Ot 16bYmh7814RK8ubbpQRY+Fr7jTtERrpdHWD7hf5nP+Z/XmuQENBFTvtBQBCACuWfL3 17JPKgwRb7t/9SRWktVbhZdWRNJilsrTQx7SRlb17io7kWYTfH/rORbafQuCmUenZ2 18dLxJoUkkuPwUq12+DPoiqQiFFhcDO7CPXV5BY/+gPOz1/kTCYTy7sTv4ZTF2JNgD 19DTJfwOTwYFNvJUS9z/AtSFo/jJ6UpAO4T26Y8dMSxsO4szAK1/cr6gI/XuYbQ8fa 20Uz8SNb9h34mIF1qJMR4xagUORAU0pexosXkw3QCAdFVYxrX0qf3SxYU1BYeTJloB 21W+/XRoXhL6HG23/HgKF5BMYwN4Qi6KA/qOvr8aBwxCq0XYNPrjgTYr22Lt6/iNlW 22p6edbaENL4AUwmW3ABEBAAGJATwEGAEIACYCGwwWIQRPGoHd/t5mFKaRedxWOhjl 23OiuxMwUCZB5J3QUJFNIwSQAKCRBWOhjlOiuxM98uB/9C/hYKfIm2xfHDn0QN2eyQ 24/l8cxOCF6O5i6DhB49Zg7Y350Qe6zzL/IqydM690gxqmPNQnlRvYjsaHkMywe/XS 25wRggucjCXBUoCQ2t6LGaSPLuFFBCJOehhRy/61bM0U+k1REvQdjCAfDzWS/sALbX 26A8E5IoqdSIHVB1ja9USx5Z1ONPF6/nZkWoNSyJieJKzcRd4+xNH0KF5QeJCvGa5v 27xVnVMmruL9WyXhJHVRphlEm8Mjxq8kyl1QJ5+8myb/wVOcvcrfFYjWoZ72jBUh3V 28nTkXDlDDCKLFndvDjO8UmtWSh7Wzd9fPUsdGmVjb+nakiG3A8XqP3yflGtNHW6Xo 29=kvyw
-----END PGP PUBLIC KEY BLOCK-----