Here at Onshape, we take security very seriously so that you and your teams can focus your time and effort on what you do best: building exceptional products. We are proud that we can provide our users with security practices that go far beyond what most traditional CAD users are able to do on their own. We hope the following summary of some of our key security practices is helpful. If you have further questions, or if you would like to share your perspectives on our approaches to securing the information you entrust to us, feel free to participate in Onshape’s community forum, or contact us at security@onshape.com.
Onshape enables you to grant permissions when you share your private documents with other users. These permission levels provide you with fine-grained control over the actions a specific user who you share with can undertake in the shared document:
Communication between Onshape’s cloud servers and users’ web browser clients and mobile devices is always encrypted, however if documents are shared with users that have malicious intent, they could by manual or automated means reproduce the documents’ data for their own purposes irrespective of the permissions you assign. For example, Onshape cannot prevent receiving users from taking screenshots, nor can Onshape prevent attempts to reverse engineer information sent to the browser or mobile client.
As with all important company or personal data, Onshape recommends that you exercise caution at all times when sharing and that you limit permission levels to the minimum necessary. In highly sensitive situations where you are concerned about the behavior of the recipients, you should consider copying the data to another Onshape document, defeaturing the data, sharing the data in only a tessellated format, or other techniques to remove detailed information.
For more on the specifics of sharing in Onshape, click here.
Onshape has achieved a SOC 2, Type 2 certification using the AICPA’s Trust Service Criteria for security, availability and confidentiality. A copy of Onshape’s SOC 2 report is available under NDA.
Onshape uses a third-party payment processing service. Credit card information is encrypted in your browser or mobile client and sent directly to this service. Credit card information is not transmitted to Onshape’s servers and is not stored by Onshape. Our payment processing service is PCI compliant and our use of their service preserves that PCI compliance.
Onshape requires HTTPS for all services, including our public website and our community forum. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use automated tools to test our live servers for susceptibility to new and existing SSL/TLS vulnerabilities. We use HSTS to ensure browsers interact with Onshape only over HTTPS.
All Onshape documents are saved on encrypted storage with AES-256. All communication between our internal compute servers and the internal databases holding your Onshape documents uses TLS v1.2. We block weak cipher suites and prioritize stronger ones for communication between your client and our service. We only utilize very strong cipher suites between our internal servers.
Onshape never stores customer passwords in the clear. We use strong, one-way, cryptographic hash functions so that even if our internal password storage is compromised, the original passwords cannot be recovered.
Onshape contracts with a third-party testing service that employs a global team of professional security researchers. These researchers are paid to find and report security vulnerabilities in our service. This security testing is ongoing and continually validates the stream of Onshape’s service updates against existing and newly announced threats.
We rapidly investigate all reported security issues. If you believe you've discovered a bug in Onshape's security, please get in touch with us at security@onshape.com (optionally using our PGP key at the bottom of this page). We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Onshape.
Our PGP key is below. You can use this key to encrypt your communications with Onshape, or verify signed messages you receive from Onshape. (Unfamiliar with PGP? Have a look at GPG, and start by importing a public key.)
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1
mQENBFTvtBQBCAC/e6b97SwuGK3lxMPH4lg+GZEM9xQrUccxoxj0eTgBBEMBbe6vvTK6v6Z6y0bBGHFYiuGXmlqw/lP8+jLOQV5107i3Y1D2EO/73ntEkumFlmVISuhnW7qUHg7B8mKKeQq/mHlSDj3APwmy+pH2ljdWxahn/g8Be+H5AOvdGC04qU2AvuNkwolhDE2uoGONXsXLVdME/xEEq9XEmc0iOdcB2g03JBfLtN6E8HyGJFZJJ6+JkutxOC9AH39QaU4VvLUhSUU6zzcJclV0RjvpsjclIKrg3A+7gfcvtvbuAnrqVmq79NUFj7HUkteY4793A5YG8rrCq7sCD52hMvx1rlxFABEBAAG0J09uc2hhcGUgU2VjdXJpdHkgPHNlY3VyaXR5QG9uc2hhcGUuY29tPokBPgQTAQIAKAUCVO+0FAIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AACgkQVjoY5TorsTPIMAf9FuXym5/crtdPzVA3mX8ZBVSNvpIj7ZHLPWGSPDCC94d9QJ6AM+tZ5baUDcxr4LSjrNNvzaW5pOsUfOJFny4qLjqqhOrf5r7Tz7hCut9vZbk9OTsoNpSLlN3c01krzW7nLWSuzkDtRwP7xafp4kRX6jfgD3RNnA9+LK8SUjmeaWa/py5xKtZrcwrx9Wx92fl/nJzShOHKoKTrSgGL4iWWZgHCVqG1DatiIbCDu3aC1PHXVKey9IsKJwgNF6L3H0u2B640OakboyQv7KnSdmSjrwTJ14SPTqGZWlfAp993NxLjb6CTyG4wu76RNhK5B3bOjT41XV6ItEHY5vFQdbKv/bkBDQRU77QUAQgArlny9yTyoMEW+7f/UkVpLVW4WXVkTSYpbK00Me0kZW9e4qO5FmE3x/6zkW2n0LgplHp2dnS8SaFJJLj8FKtdvgz6IqkIhRYXAzuwj11eQWP/oDzs9f5EwmE8u7E7+GUxdiTYAw0yX8Dk8GBTbyVEvc/wLUhaP4yelKQDuE9umPHTEsbDuLMwCtf3K+oCP17mG0PH2lM/EjW/Yd+JiBdaiTEeMWoFDkQFNKXsaLF5MN0AgHRVWMa19Kn90sWFNQWHkyZaAVvv10aF4S+hxtt/x4CheQTGMDeEIuigP6jr6/GgcMQqtF2DT644E2K9ti7ev4jZVqennW2hDS+AFMJltwARAQABiQEkBBgBAgAPBQJU77QUAhsMBQkJZgGAAAoJEFY6GOU6K7Ez+1QH9A5gyaI03cdoURo3L8SsCd2075eibNhmMiQYupq5DfrM5KWwtHE87aHKiU46VSsyuyuWMskkZgddHIkxrVmg2EXZhVA/in72Yw+69VHLqYsWPiLdeRJ3KyWmOQqADDas1bGTwZKKoyd94h/65GLGaBVrUpc0LYzANYMEsknv4TSbhwrYUGF8xjfthFe3xjAD2RKkGU6KjI7h98VbDa8h86PA6OnlhGrU4Fn5w99tRKfCIPwi3iASBanC24sdss4I+mSW0BNI/TemMdXcm0KTcYQjLnzFs669Zi9BUkd8Jix4r4uBD9mqVxIgfMU3/zmhujMNQ+oNgarAdrFeB42q
-----END PGP PUBLIC KEY BLOCK-----