We recognize the importance of excellent security practices. While we are a small team, we work hard to punch above our weight on security.
- Access to servers, source code, and third-party tools are secured with two-factor auth.
- We use strong, randomly-generated passwords that are never re-used.
- Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data.
- We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
- We don’t copy production data to external devices (like personal laptops).
- Our employees and contractors sign an NDA before gaining access to sensitive information.
User passwords are hashed using bcrypt before being stored, and if SAML SSO is required, password login is disabled.
To invite a team member, we send an email to the address provided with a token that expires in 90 minutes. If SAML SSO is required, email invites are disabled and new team members can only be added via IDP-initiated login.
When a user logs in, they are given an encrypted session cookie. The cookie is invalidated after 30 days of inactivity for password-based logins or after 7 days of inactivity for SAML-based logins. All further interaction with the app requires this cookie.
All communication between the users’ browsers and our backend is encrypted with TLS 1.2. Our backend server is managed by Render and uses their automated certificate management service. User data is stored in Render Postgres and details of their implementation can be found here.
Logs are stored separate from our backend infrastructure, and are retained for 30 days, after which they are permanently deleted.
Application analytics can be permanently deleted on request.
Software development practices
- Code written by any developer is signed off by at least one other person before committing.
- All code must meet our standards for automated test coverage and all tests must pass before deploying to a staging environment.
- Code is tested in a staging environment against a QA checklist before deploying to production.
Our code is regularly scanned for dependencies with known security vulnerabilities.
Vulnerable dependencies are patched and redeployed rapidly.
Our backend server is hosted on Render, which runs on top of Amazon Web Services.
Amazon’s data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
What user data do you collect?
We’re not in the business of making money off of data. We do collect information about how users are interacting with our app so we can improve the product and provide faster, more effective support when issues arise. These events include:
- Sign-In and Sign-Out events
- Interaction with features of the app
In addition, the following metadata is collected by our analytics provider:
- The user’s operating system version
- The user’s browser version
Users are identified in our system by their email address and are asked to provide a name. We don’t attempt to collect any demographic information, and don’t log IP addresses on incoming connections.
How do I report a potential vulnerability or security concern?
We are continually engaged with a team of researchers in a private bug bounty program and therefore do not provide compensation for independent reports. However, if you have a concern please email us at [email protected], which will notify us very loudly and we’ll get back to you ASAP.
Are you SOC 2 or ISO 27001 certified?
While we’d eventually love to achieve these certifications, we don’t hold them at this time.
Do you conduct background checks on your employees/contractors?
Yes. All employees sign an NDA and undergo a background check before starting.
Any further questions?
No problem! You can email us at [email protected] for more details.