Our services are hosted on the Salesforce Heroku platform. We opted for Heroku for a variety of reasons, including their industry-leading security and reliability. They maintain accreditations under ISO 27001, ISO 27018, PCI DSS Level 1 and publishes SOC1 Type 2 and SOC2 Type 2 reports. Heroku provides advanced network and operational security protections that are periodically reviewed as part of our vendor management processes. Learn more.
Our services are hosted on Amazon Web Services (AWS) infrastructure. We don’t host or run our own routers, load balancers, DNS servers or physical servers. Amazon data-centers feature 24-hour manned security, biometric access control, video surveillance, and physical locks. All systems, networked devices, and circuits are constantly monitored. AWS facilities are accredited under ISO 27001, SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II), PCI Level 1, FISMA Moderate and Sarbanes-Oxley (SOX). Learn more about AWS security.
USA or EU hosted – your choice
By default our customers are served from data-centres and data sub-processors in the United States of America, with our primary services hosted in Northern Virginia. Enterprise customers are offered the option of an EU-hosted environment with our primary services and data sub-processors located exclusively in EU member-state countries.
Encryption in transit – All data sent to or from our infrastructure is encrypted in transit via industry best-practices using Transport Layer Security (TLS 1.2 or 1.3).
Encryption at rest – All our user data is encrypted using the battle-proofed AES256 encryption algorithm in our databases.
We aren’t in the business of handling or storing credit card numbers – your card details are directly captured and stored securely by Braintree (a PayPal company), our payments provider. Braintree is certified as PCI Level 1 compliant, and listed as a Visa® Global Compliant Provider and MasterCard® Compliant Provider (SDP). Learn more about Braintree security and compliance.
Application security monitoring
- We use a security monitoring solution to get visibility into our application security, identify attacks and respond quickly to a data breach.
- We use technologies to monitor exceptions, logs and detect anomalies in our applications.
- We collect and store comprehensive logs to provide an audit trail of our applications activity. Our logs are frequently reviewed by our security team to identify anomalies.
- We use Sqreen to monitor our applications. Security events are logged and notifications are sent in case of critical attacks to allow for fast remediation.
Application security protection
- We use a runtime protection system that identifies and blocks OWASP Top 10 and business logic attacks in real-time.
- We use security headers to protect our users from attacks. Our services have received an A grade from SecurityHeaders.io
- We use Sqreen to integrate security in our applications and protect our users from data breaches. It integrates protections against the most critical attack categories like SQL injections, cross-site scripting and adds security headers to our application. It blocks attacks in real-time and warns us when attackers start stressing our applications.
Suspected security incidents, including any logical and physical security breaches are ticketed, tracked and resolved following our incident response policy and procedures. If you have any questions or suspect an incident may have occurred, please contact firstname.lastname@example.org
Enterprise customers can elect to be notified of any problems via email. Our hosting platform usually obviates the need for downtime when we make changes to our services. However, we will notify customers by email at least 24 hours in advance of any planned downtime.
Your privacy, protected
Data retention and removal
Business continuity and disaster recovery
We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. We capture a full backup of customer data every 12 hours. Backups are securely encrypted and stored for 30 days, at which point they are securely destroyed. We have established Business Continuity and Disaster Recovery plans and review them annually.