Security and Privacy Guidelines

General Company Information

Docker, Inc. is a corporation registered in Delaware with its principal place of business in Palo Alto, California. Docker has subsidiaries in multiple countries. Docker and its subsidiaries are collectively described herein as “Docker” or the “Company”.

Organizational Security Measures

Global IT & Security Policy – Docker maintains a Global IT and Security Policy which is applicable to all of its employees and subsidiaries worldwide. The policy is consistent with all applicable local laws and ensures that employees are responsible for the safeguarding of company property and programs to which they have access.

Confidential Information – Docker employees are expected to respect and protect confidential information of the Company as well as any such information it may have as a result of a business relationship.

Physical and Technical Security Measures

Docker does not operate its own servers or networks. Docker relies on the services of Amazon Web Services for its storage requirements which are located in Virginia, USA. Docker utilizes third party application providers such as Google, GitHub, DropBox and Salesforce for its business requirements – it does not operate its own network for these applications or storage associated with such applications. Docker utilizes appropriate access controls for these applications, including multi-factor authentication as well as the services of single sign on provider Okta. Employees only have access to information for which there is a specific need to know. Docker operates its business on a fully remote distributed basis and does not maintain any physical office locations.

Data Privacy and Security

In general, Docker does not collect or store personal data and the use of Docker products does not result in personal data being collected or stored. Docker receives customer information and associated email addresses in order to contact customers and to ensure support is available. For customers who make payments to Docker via a credit card, they do so through a third party provider and Docker does not collect or store any such information. To the extent Docker does have data, it is utilized for product measurement and improvement. Docker does limited disclosure to third parties only of aggregate summary information and not anything specifically identifiable, for example numbers of downloads of a piece of software and location information is provided to the software publisher and we publish some public popularity data. All data is held in cloud-based data services. Admin and encryption keys are held in a safe or in encrypted password stores. All data is collected in product and portions are anonymous or immediately anonymized, others are identifiable, such as actions of logged in users on Docker’s website. Any receipt of information is based on an opt-in by a user. Docker’s privacy policy and data processing agreement are located at https://www.docker.com/legal/privacy.

Responsible Disclosure

At Docker we take security seriously and consider it one of our top priorities. If you discover a security issue, please bring it to our attention.

Reporting a Vulnerability

Please DO NOT file a public issue, instead send your report privately to [email protected].

  1. Keep your report concise, preferably including steps to reproduce the issue and a proof-of-concept.
  2. Keep information about any vulnerabilities you have discovered confidential until we have had up to 90 days to resolve the issue.
  3. Please do not perform any security research which disrupts live services, violates privacy or corrupts other users’ data.
  4. Social engineering, physical attacks, denial of service and vulnerabilities in 3rd party components are considered out of scope.

We currently do not offer a paid security bounty program. Security reports are however greatly appreciated and if you are the first to report a verifiable security issue you will be publicly credited for it, unless you request otherwise.

Third Party Review

Docker does not act as a system of record for any of its customers and has not engaged any third party for any SOC compliance or similar review. The Company does have its financial statements audited annually. Docker is a private company and its financial information is company confidential information.

Software Development and Lifecycle

Docker has implemented and maintains a secure software development life cycle for all applications which integrate with its environment or are developed on its behalf. Docker observes industry standard application security guidelines such as Open Web Application Security Project (OWASP). Docker ensures that (a) regular reviews of application source code occurs, (b) developers receive detailed coding and design training in application security, and (c) development, testing, production and operational facilities are separated to reduce the risk of unauthorized access or changes to the production and operational systems.