Security Overview

We take security very seriously. We know our customers trust us with important data, and we use industry best practices to keep it secure. We consider security as the primary criteria when choosing service providers to work with. We have an extremely high bar for keeping data secure and continually audit and update our processes regularly.

Infrastructure

Our infrastructure is designed with redundancy, fault tolerance and disaster recovery at the forefront. All of our application and data infrastructure is hosted on Amazon Web Services (AWS), a highly scalable cloud computing platform with end-to-end security and privacy features built in. Amazon Web Services (AWS) has achieved the highest level of certifications including ISO 27001 and SOC. All our infrastructure is within our virtual private cloud (VPC) with production access restricted to operations support staff only. This allows us to leverage complete firewall protection, private IP addresses and other security features. For more information, see AWS Security and AWS Compliance.

Monitoring

We design all services with high availability in mind. Our goal is to deliver 99.95% or better uptime across all our products. To support our uptime and performance goals, we employ a variety of enterprise-grade internal and third-party tools (for example: New Relic, Pingdom, Sentry.io, Nagios) to accurately monitor and report on any anomaly that could impact the delivery of our services.

Billing

Our credit card processor, Stripe, meets and exceeds the most stringent industry standards for security. It has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.

Engineering and Operational Practices

We consider every single team member to be a member of the security team, and are dedicated to keeping all data secure.

  • We use continuous integration and configuration management tools to build and test code multiple times a day. Extensive unit, integration, and static analysis tests are run against all changes before release.
  • Our team is constantly monitoring security notifications from all 3rd party software libraries and if identified, we immediately apply any relevant security patches as soon as they are released. We use automated solutions in place which proactively notify our team of relevant security advisories.
  • All our services are accessible via TLS and default to TLS. This means data is encrypted in transit. All our application communications support TLS v1.2.
  • Where applicable, we treat both our software and our infrastructure configuration as code. Which means changes go through a formal code review, testing and deployment process. All of which lives behind a VPC accessible only by authorized users via VPN.
  • Our production and development environments are always kept separate on physically distinct networks.
  • Multi-factor authentication is mandatory for anyone with direct access to our underlying technical infrastructure and customer backups.
  • All passwords are salted and hashed with one-way encryption.
  • We have granular audit logs in place where appropriate.
  • Database backups are automated and performed multiple times a day where appropriate and recovery procedures are performed and tested as part of our process. Where appropriate, we opt for highly durable storage options provided by AWS.

Data Residency

All customer data is stored in the continental United States. Our content delivery network may serve static assets from around the world, but does not store customer data.

Continuous Improvement

All new product features and internal processes are peer-reviewed and evaluated for their security impact before they are released to production. We strive to continuously monitor and improve our security practices in response to industry changes and customer feedback.