lockWe follow the Twelve-Factor App montra and take security and separation of responsibilities seriously. Data in transit is always sent over TLS using well-known and trusted Certificate Authorities when issuing certificates. This is true of browser-to-client, client-to-server, service-to-service, as well as service-to-database communication.

vpn_keyData at rest is encrypted using 256-bit AES encryption algorithms, with each encryption key being dually encrypted using a regularly-rotated set of master keys. Any personally identifiable information or information we deem as “sensitive” to the user is stored in an obfuscated manner, preventing those, deemed of necessary privilege, from making sense of the data, reserved of disaster recovery situations.

settings_system_daydreamStrict IAM policies are enforced within our cloud provider to ensure only those deemed of necessary privilege have access to any data stored within our databases. Each account is required to authenticate using 2FA while logging in.

blockWhile we recognize that exploits in software and systems do in fact happen, our specific choices in technologies and managed services vastly limit the scope of vulnerabilities that may come up. In the event that they do, our build and release processes aid in patching and assessing these issues in a timely manner. Thereafter, we have strict internal policies to conduct post-mortems and root cause analysis to understand and prevent similar incidents from happening in the future.

swap_horizAll systems utilize centralized logging and monitoring to ensure optimal functionality of services as well as provide an audit trail if necessary to investigate.