Security at Goldsky

Product security

Every change to Goldsky's codebase goes through peer code review before it reaches production. Our CI pipeline scans dependencies for known vulnerabilities on every commit and blocks accidental credential commits with automated secret scanning.

We engage independent third-party security firms to test our systems on a regular cadence and track every finding to closure.

Infrastructure security

Goldsky runs on AWS in the us-west-2 region with strict separation between development, staging, and production environments. Production access is limited to a short list of on-call engineers, and multi-factor authentication is required for every Goldsky employee.

Production infrastructure runs inside a VPC, with network ACLs and security groups gating access and no publicly exposed administrative interfaces. Production databases are backed up daily across multiple AWS regions, and infrastructure events flow into continuous monitoring.

Live service status is published at status.goldsky.com. Major incidents trigger status page updates, with direct communication to affected customers over email and Slack.

Data security

In transit

All traffic to and from Goldsky is encrypted with TLS 1.2 or newer; older, insecure protocols are disabled at the network edge.

At rest

Customer data in our control planes is encrypted at rest with AES-256 using AWS KMS-managed keys, covering account information, API keys, configuration, and transformed outputs. Each customer environment is logically isolated, and access requires authentication scoped to that customer.

Public blockchain data

Public chain data sourced from networks like Ethereum, Base, and Polygon is already public on the underlying networks, so we do not encrypt it at rest. Any customer-specific data layered on top is encrypted.

Retention and deletion

We retain customer data for the lifetime of the account and follow a documented schedule for deletion once an account is closed. Logs and telemetry are minimized so that sensitive payloads do not leak into operational systems.

Data residency

Customer data is stored on AWS in the us-west-2 region. Dedicated and region-specific deployments are available for customers with data residency requirements.

Identity and access

Single sign-on (SSO)

Goldsky supports sign-in via Google and GitHub on every plan tier. SAML SSO is available as an option for enterprise customers who need to connect Goldsky to a corporate identity provider.

Role-based access control (RBAC)

Role-based access control is available on every plan tier and lets you scope what each member of your team can see and do inside your Goldsky workspace.

Organizational security

Goldsky's technical controls are backed by people and process. Every new hire goes through a background check where local law allows, and completes mandatory security training during onboarding and again every year. Engineering and infrastructure teams receive additional role-specific training covering secure coding, incident response, and access management.

We maintain a documented incident response plan with a 24/7 on-call rotation, review the security posture of every vendor before onboarding them as a subprocessor, and run regular access reviews to keep production privilege scoped tightly.