We follow a simple principle
“Don't do unto others what you don't want done unto you.”
This means we expect you to hold us to the same standards that we would to any other platform where we share our personal data.
Data privacy & security is baked into our processes when writing & deploying code and managing our production systems. Here are some of the practices we follow to ensure the safety of your data:
1. Regular internal & external penetration testing and audits.
2. Employees only get access to the systems based on access policies attached to their roles.
3. We use AWS API Gateway in front of all public endpoints that provide web application firewall (WAF) and DDoS protection.
4. All our internal employee systems are connected with Google SSO and require 2FA to access.
5. All our production systems are in a virtual private cloud (VPC) that whitelists IP addresses for access.
6. Our AWS accounts require 2FA in addition to a password to access our infra.
7. Use of self-hosted password manager to enforce strict password policies & encryption.
8. We implement strict end-device policies such as VPN, Google Single Sign-on, and Password rotation and allow no USB devices.
We apply all possible common-sense security principles. In complex, interconnected systems, it could just be one tiny incident, technical or human error (often seemingly silly errors), that opens up Pandora’s box.
To add some perspective, all Intel processors globally became vulnerable pretty much overnight (MELTDOWN, SPECTRE vulnerabilities) in 2018, sending the world into a tizzy.
Thus, 100% security does not exist and eternal vigil, technical and otherwise, as a practice, is the best anyone can do. We do whatever we can and are always very cautious.
Our Bug Bounty program incentivizes hackers for responsible disclosures. We categorize each bug into Critical/High/Medium/Low and clearly communicate SLA in the Privacy Policy and Terms of Usage.