Security Policy
We’re serious about security. At every step of the way, we’re making sure that your data is safe and secure. Both in the code we write, the infrastructure we use, and the policies we follow.
Security Measures
- Access Control — Access to data is restricted to employees who require it to perform their job (need to know).
- Authentication — We use Google Authentication for our applications and services. In cases where using Google Authentication exclusively is not possible, we use individual logins with unique passwords and MFA stored in a password manager.
- Backups — Your data is backed up regularly and stored securely.
- Changes to Infrastructure — The configuration of our Infrastructure, is where possible, managed through Infrastructure as Code or Configuration files that benefit from peer review and version control, just like our source code.
- Cloud Hosting — We use managed services from Render.com and Google Cloud Platform to host our applications and databases. This means that we benefit from industry best practices (including ISO 27001 and SOC 2 compliance), state of the art infrastructure, security configurations and updates and minimize the risk of misconfigurations and vulnerabilities.
- Code Review — Major changes to our application are reviewed by at least one other developer before being deployed.
- Continuous Integration — We use CI/CD to automate testing and deployment of our applications. This way, we can catch issues early, ensure that our code is always in a deployable state and always build from a known state.
- Data Minimization — We only collect the data we need to provide our services.
- Devices — Our team uses secure devices and follows best practices for securing them, including using full disk encryption, strong passwords, and secure network connections.
- Encryption — All data is encrypted in transit and at rest. We use TLS to encrypt data in transit and encrypt data at rest using AES-256 encryption.
- Privacy by Design — We design our applications and services with privacy in mind, including data minimization, data protection, and user control.
- Logging — We log all access and changes to our applications and services. This way, we can track down issues and identify potential security incidents. We also log all activity users perform in our applications for auditing purposes.
- Software Dependencies – We carefully review and track the dependencies we use in our applications and services. We apply patches and security updates in a timely manner.
- Monitoring — We monitor our applications and services for unusual activity and potential security incidents, as well as for performance and availability.
- Verification — We verify the identity of all users through email verification on each login, or through a trusted third party. We deliberaly choose this over using passwords.