Chapter 8 Security and Compliance

Security for your applications running on shinyapps.io is a function of both the hosting environment and your application code. RStudio is dedicated to providing a hosting environment that implements best practices for security. In building your application, it is your responsibility to ensure that your data and application logic are not exposed.

Each app is deployed into its own container, and the network access between containers is tightly controlled. All access to the apps is over SSL, and you can configure your app to require authentication prior to anyone accessing it if you have the Standard plan or above.

The design of the system is for every account to have its own sub-directory structure, and to enforce the security at the file system and operating system levels. The storage for each container is not permanent, so if you need to store data, our strong recommendation is for you to push that data into your own data store. That could be a database such as Amazon’s RDS, or it could be on a file system accessible from within your application.

shinyapps.io is currently hosted on Amazon’s Web Services (AWS) infrastructure in the us-east-1 region. The infrastructure used is not the HIPAA-compliant stack, so if you need to be in a HIPAA-compliant environment, we recommend deploying and operating your own Posit Connect or Shiny Server Open Source instance.

We perform penetration tests regularly against shinyapps.io to ensure the environment is safe to run customer applications. Customers are not permitted to run load or network penetration tests against any part of the shinyapps.io infrastructure; tests that target the shinyapps.io site or infrastructure could result in a suspension of the account.

Unfortunately, we are unable to help with security questionnaires for shinyapps.io today. If your organization requires them, we would recommend running Posit Connect within your own secure environment.