When using our services, our customers are confiding their data into our hands, including personal data. It is one of our primary duties to each customer to ensure that appropriate measures are in place for the protection of the customer's personal data. This Data Protection Policy lists some of those measures. All terms used in this Policy have the meanings ascribed to them in our Terms of Service.
- It is crucial that some of our employees have access to the systems we use for processing data. For example, in order to diagnose a problem our customers are having we may need to access their data.
- We set strict controls over our employees' access to customer's personal data. We are devoted to ensuring that data is not seen by anyone without access.
- We have technical policies in place to ensure that any access to customer's data is logged. All of our employees are bound to our policies regarding the security of customer's data.
- We transmit data over public networks using proper encryption. Our systems support some of the cutting-edge cipher suites to encrypt all data in transit, including the use of TLS 1.2 protocols and SHA256 hashing algorithm.
- Data at rest in our production environment is encrypted at the storage level using either AES256 or AES 128. This applies to all of data at rest.
- We monitor the changing cryptographic landscape and upgrade our cipher suite choices accordingly.
- The Service is hosted in data centers operated by cutting-edge service providers who offer advanced physical and other protection for infrastructure underlying our service. These providers are responsible for restricting access to the infrastructure to authorized personnel only.
- Each customer's data are hosted in the public cloud resources allocated to us and isolated logically. We use a combination of different storage technologies to assure that all data are protected from hardware failures.
- Network access to our production environment from public networks is restricted. Only a small number of production servers and network protocols are accessible from the internet.
- We employ the cutting-edge mitigations against distributed denial of service (DDoS) attacks at our network.
- Changes to our production environment are restricted only via dedicated VPN to authorized personnel. We have implemented multi-factor authentication for all server access on our production level.
- Our service runs on systems that are tolerant to failures of individual servers as well as entire data centers. Our development team tests recovery measures regularly and has a team dedicated to quickly resolving unexpected incidents.
- Data are stored at multiple locations in our cloud provider's data centers to ensure availability. We have safe backup and restoration procedures to ensure recovery from a major disaster. Data and our source code are regularly backed up and our development team is notified in case of a failure with this system.
- We have a centralized logging system in our production environment for information concerning security, monitoring, availability, access and other metrics for our service. These logs are analyzed using automated monitoring software.
Security practices in product development
- Secure practices are embedded into the whole product development cycle. Any new features and design changes go through the review process defined by our software development process. On top of that our code is audited by industry standard tools, tested and reviewed prior to being implemented to production level. The security aspects are regularly reviewed internally.
Access to our service
- Access to our service requires all users to authenticate, and users are granted unique identifiers for that purpose.
Changes to this Policy
- We may revise this Policy from time to time to reflect changes to our service, applicable laws, regulations or standards or other changes that may occur in our business. If any changes happen we will keep our customers informed about it and post the revised Data protection policy. We will use TeamBench, email or other means for informing customers of such policy changes. The revised Policy will be effective when posted unless the document itself specifies a later time for its entry into force.