Onshape Security Practices

Our comprehensive approach to privacy, data, and intellectual property security

Why is Security & Privacy our #1 Priority?

As a cloud-native solution, security, trust, and reliability are imperative to our success. Onshape has an internet-based infrastructure, so we prioritize security by enforcing robust measures. This includes end-to-end encryption, continuous monitoring, and regular compliance checks with industry standards. Our security framework is meticulously crafted to protect data at every stage of product design and collaboration. We ensure that your work stays secure, private, and accessible solely to authorized personnel. This allows you to concentrate on what truly matters: designing and building exceptional products.

Key Features

Sharing

With Onshape's permission settings, users have complete control over who can edit, view, and/or share their data, ensuring intellectual property integrity. Onshape keeps your data safe while by facilitating seamless, file-free collaboration by making use of URL/hyperlink based sharing. This cloud approach to sharing data improves workflow efficiency while protecting intellectual property. Documents are kept on secure servers, and permissions can be adjusted or revoked instantly.

External Audits

Onshape completes a SOC 2, Type 2 audit annually, which certifies compliance with the American Institute of Certified Public Accountants (AICPA) SOC 2 Trust Services Criteria requirements. This delves into security policies, communication protocols, software design, data access controls, risk mitigation strategies, and more. This is a rigorous external audit that assesses whether a company's systems and processes are properly designed and adhered to.

A copy of Onshape’s SOC 2 report is available under NDA.

PCI Security Standards

Onshape uses a third-party payment processor to handle transactions securely. Credit card details are encrypted and sent directly to the processor from your device, bypassing Onshape’s servers. This ensures your sensitive financial information is not stored by Onshape. The processor adheres to PCI standards, helping maintain payment security and compliance.

Communications Security

Onshape prioritizes security for all online interactions by mandating HTTPS across our public website, community forums, and other services. Comprehensive audits on SSL/TLS configurations, including certificate validation, issuing authorities, and cipher suites, are regularly conducted. Automated tools continuously assess our servers for vulnerabilities, and HSTS is employed to guarantee browser interactions occur strictly over secure connections.

Encryption

Onshape encrypts all documents with AES-256 and utilizes TLS v1.2 for all communications between your web client or mobile device and our servers. We block weak cipher suites while prioritizing the strongest available for secure, robust client-service interactions.

Onshape Government

Onshape Government

 Onshape Government is a secure, cloud-native CAD and PDM solution tailored for U.S. government agencies, defense contractors, and organizations working with sensitive or regulated projects. Built on AWS GovCloud, Onshape Government helps customers meet ITAR and EAR compliance requirements.

Additional Information

Onshape contracts with a third-party testing service that employs a global team of professional security researchers. These researchers are paid to find and report security vulnerabilities in our service. This security testing is ongoing and continually validates the stream of Onshape’s service updates against existing and newly announced threats

We rapidly investigate all reported security issues. If you believe you've discovered a bug in Onshape's security, please get in touch with us at security@onshape.com. We will respond as quickly as possible to your report. We request that you not publicly disclose the issue until it has been addressed by Onshape.

Onshape never stores customer passwords. We use strong, one-way, cryptographic hash functions so that even if our internal password storage is compromised, the original passwords cannot be recovered.

Our PGP key can be found at the link below. You can use this key to encrypt your communications with Onshape or verify signed messages you receive from Onshape. (Unfamiliar with PGP? Have a look at GPG, and start by importing a public key.)

Onshape's Enterprise IT and Security Guide

This informational guide helps engineers partner with IT on their journey to take their CAD to the Cloud. Download it to learn how Onshape handles security, privacy, data protection, administration, enterprise integration and more.

ebook mockup cover