Chapter 8 Security and Compliance

Security for your applications running on shinyapps.io is a function of both the hosting environment and your application code. RStudio is dedicated to providing a hosting environment that implements best practices for security. In building your application, it is your responsibility to ensure that your data and application logic are not exposed.

Each app is deployed into its own container, and the network access between containers is tightly controlled. All access to the apps is over SSL, and you can configure your app to require authentication prior to anyone accessing it if you have the Standard plan or above.

The design of the system is for every account to have its own sub-directory structure, and to enforce the security at the file system and operating system levels. The storage for each container is not permanent, so if you need to store data, our strong recommendation is for you to push that data into your own data store. That could be a database such as Amazon’s RDS, or it could be on a file system accessible from within your application.

shinyapps.io is currently hosted on Amazon’s Web Services (AWS) infrastructure in the us-east-1 region. The infrastructure used is not the HIPAA-compliant stack, so if you need to be in a HIPAA-compliant environment, we recommend deploying and operating your own Shiny Server or Shiny Server Professional instance.

We do not currently run third-party security audits on shinyapps.io. If you would like to run your own tests against the service, please notify us at security@rstudio.com, and we would be happy to discuss your plans.

Unfortunately, we are unable to help with security questionnaires for shinyapps.io today. If your organization requires them, we would recommend running Shiny Server Pro within your own secure environment.