Team Policies

All Transloadit employees and freelancers/consultants that handle code or data, should sign our Consultancy Services Agreement. The agreements refers to this Work Policy, which contains more hands-on guidelines, that may evolve over time in correspondence with our team. This allows us to very specifically name fast moving technologies that would risk deprecating our contracts if we kept them there.

Security & Privacy

Customers and Vulnerability Researchers may find our Security page more relevant.

In addition to the confidentially clauses of our agreement, please take these up to date practical guidelines to heart.

To apply security best practices on the devices where the Confidential Information is kept:

  • Install software updates for your OS & apps regularly. This includes computer, phone, tablet, but also the firmware of routers, modems, and IOT equipment. Make sure they are up to date, and discard of devices that are EOL.
  • Do not connect to the internet without a firewall (e.g. by setting your modem in bridge mode).
  • On public/untrusted Wi-Fi (Wi-Fi that strangers can join: hotel, lan party, cafe), encrypt and tunnel work traffic via a VPN or SSH tunneling (if you can work exclusively from your browser). SSH traffic is excluded from this.
  • Use an encrypted harddrive.
  • Use 2FA where possible, and at least for GitHub, Google, Dropbox, NPM and other vital services.
  • Make a best effort to keep a papertrail of OS level / security logs for for 30 days or more.
  • Use an unpriviliged account (no root/Administrator) by default.
  • Use an audited and well established password manager to keep your passwords, do not save your passwords elsewhere. use the passwords manager's ability to install strong passwords for all your important accounts, private and work-related.
  • Only transmit secrets to collegues via Signal, after enabling auto-expiring messages.
  • Do not check out Transloadit's private repositories on servers or other devices, other than your primary workstation(s).
  • When creating accounts for Transloadit, never use a personal email address (but or instead).


  • Section 3.1 of our contract states that you need written agreement before adding Third-party code. When writing Pull Requests that include open source licensed code, an approval or merge by a repository admin counts as such.

Do not stray from these guidelines without written permission by Transloadit's founders.