Log InStart Free Today

Data Security

Keeping Your Data Safe

The security of your member data is always something we take seriously. Learn more about what we do to keep it safe.

Overview

We consider the security of our customer data a top priority. We have implemented industry-standard security practices, including encryption at rest and in transit, to prevent unauthorized access to customer data. We work constantly to ensure that our security practices are up to date and effective.

This page is intended to provide an overview of our security practices. If you have any questions, please contact us.

Physical Infrastructure

We use Railway as our main hosting partner. Railway are compliant with ISO 27001, SOC 2, SOC 3 and HIPPA. We are hosted within the European Union (EU) region in their Amsterdam data center.

Our servers are hosted in a secure facility with 24/7 monitoring and surveillance. Access to the facility is strictly controlled and monitored. The facility is staffed 24/7 by trained security guards, and access is authorized strictly on a least-privilege basis. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

You can learn more on the Railway Trust Website, including reading more about their certifications.

We do not have physical access to the environment.

Uploaded Files

Files that you upload are stored by Amazon Web Services (AWS) in their S3 storage service in Dublin, Ireland. You can read more about their compliance certifications

Development Process

We follow industry-standard best practices for software development, including:

  • Code reviews – All changes to the application go through both review from other members of the development team, but also automated review through code analysis tools looking for potential security issues.
  • Automated testing – We have a suite of automated tests that run on every change to the application. These tests ensure that the application is working as expected.
  • Automated deployments – All application deployments are done through automated pipelines for consistency and security.
  • Isolated Environments – Development and Production are completely isolated from each other. This ensures that no production data is used for development or testing.

All staff also go through:

  • Background checks – All staff are required to pass a background criminality check before being hired.
  • Annual Security Awareness Training – This includes training on handling Personally Identifiable Information (PII), security best practices, phishing, and social engineering. For developers this also includes secure coding guidelines, including how to avoid OWASP common vulnerabilities.
  • Confidentiality Agreement – All staff are required to sign a confidentiality agreement, including non-disclosure.
  • Access Control Checks – All staff are required to use multi-factor authentication (MFA) to access any systems and are limited to what access they have based on their job function. This access is checked regularly to ensure it is still correct.

Data Security

We take full advantage of Railway’s managed services in order to limit our access to customer data and lean on their expertise:

  • Container-Based – Our application runs in Docker containers on Railway managed hardware. This means that we do not have access to the underlying operating system.
  • Encryption – All data is encrypted at rest and in transit. Data is encrypted at rest in both Railway and AWS with AES256. All transmission between services and the internet is done via HTTPS/TLS, with a minimum of TLS1.2.
  • Network Security – We don’t allow any external access to our database or storage. No insecure protocols are used, nor do we use management services like SSH.
  • Database Backups – We use automated backups to make regular copies of the data within Railway in case of disaster.
  • Data Access – Access to production data is strictly limited and all systems require multi-factor authentication.

Third-Party Services

Beyond AWS, we also use the following third-party services:

  • Bunny CDN – We use Bunny CDN to serve static assets, including images and JavaScript, including those uploaded to our Knowledge Base product. This is a content delivery network (CDN) that caches these assets around the world to improve performance. This does not include any business or personal data. Learn more at bunny.net.
  • Lemon Squeezy – We use Lemon Squeezy from Stripe to manage our billing and subscription payment services. Learn more at lemonsqueezy.com.

GDPR

We act as a data controller for the businesses who use our service. We collect and process data for the purposes of providing our service. Your billing address and company details are shared with Lemon Squeezy in order to process your subscription, but we do not share any other data with any third-parties.

We also act as a data processor on behalf of our customers who use our service, who act as data controllers for the data they collect on behalf of their members while using our service.

Our customers are responsible for ensuring that they have the necessary consent to collect and process data from their members. We limit the data we allow our customers to store in order to help with comply with GDPR, including:

  • Limited – We only store names and email addresses of members, and have no way to add additional personal data.
  • Accuracy – Our customers can edit all the data stored about the members in their system to ensure it is accurate, or to remove information.
  • Data Removal – Our customers can remove people from their system permanently, which will remove it from our database.

Our general philosophy is that if we don’t need it, we don’t ask for it, we don’t store it. We encourage our customers do to the same with their member data.