Security Statement

We have a client that is a major German manufacturer and they are conducting an IT Security audit on us at the moment

We've just had notification that we've failed the audit

One of the failing points is:

  • Has the cloud service supplier provided assurance documentation? (E.g. SSAE-16 / ISAE 3402 ,SOC 2,3, CSA - STAR - Self Assessment, Attestation, Certification, ISO27001)

Even if you don't hold the certification they are asking for, it would be really helpful if you could elaborate on your approach to security to reassure them that their data is safe in your infrastructure

Of course I can describe all the things I do in the application but I'm unable to reassure them about the underlying infrastructure



We don't have any specific documentation like that, though this page describing AWS's security documentation will probably be helpful.

Regarding our own security: each PythonAnywhere account runs all of its code inside a virtualized sandbox, using code based on Linux containers -- essentially the same foundation as Docker, but a different implementation. This stops different accounts from accessing files and data belonging to other people. For account security, we provide two-factor auth and other security mechanisms. And we also have a bug bounty program, which helps us keep the service safe by incentivising security researchers to report any issues to us.