Security overview

Last updated: March 9, 2020

Physical security

We don't have own hardware. Instead, our services are running on hosted cloud platforms.

Our own computers are used for development, company management, and off-site backups. Data is stored on encrypted hard drives or file systems, or the files itself are encrypted. Either way, there's always at least one layer on encryption.

Personnel security

Access to the servers and data is restricted to those who absolutely need to have the access. Everyone is using strong passwords and encryption keys. Everyone is well trained and aware of standard security policies.

Software security

We utilize several techniques, technologies, and policies to keep our systems secure:

1. All traffic between our servers and your browser is transferred over HTTPS.
2. We have set up firewalls on our servers that block any unwanted and unneeded traffic.
3. We only use strong passwords and password managers to store them.
4. Additional access security, such as SSH keys and 2FA is used wherever applicable.
5. We only use common and well known software frameworks and libraries.
6. Passwords store in our database are hashed and salted.
7. Our servers and their software are kept up-to-date with recent security patches.
8. Both on-site and off-site backups are encrypted with GPG.
9. Payments are handled by an external and certified payment processor; your payment card information never goes through our own servers.
10. We adhere to the OWASP secure coding practices.

This document is adapted from Basecamp's policy documents, licenced under CC BY 4.0.