Security is our first priority and we put constant effort to keep our platform secure.
If you have any questions or you want to report a security issue, please contact us by email.
We adopt many best practices to ensure the security of our service and the protection of data. For example:
- We use the best practices for web push notifications: the endpoints (i.e. the addresses of the recipients) are stored in our database and are not publicly accessible; the endpoints are also associated to cryptographic key pairs through protocols like VAPID and thus can be used only if you also have access to the private keys; we also offer a reliable way to authenticate your users (SSO) when they subscribe to push notifications
- We make daily backups of the database and we store those backups off-site; the configuration of backups ensures that they cannot be deleted, even in the case of an attack to the main application; we also periodically try to restore the database backups to ensure that everything is working properly
- Only few, high-qualified people can access to the production environment
- We enforce HTTPS on public networks
- We use isolated private networks for communication between servers
- We keep the software updated and we constantly apply security patches
- We are subscribed to multiple mailing lists to be notified immediately about CVE vulnerabilities
- We keep our application code clean and tested
- We use open source libraries only when necessary and we try to use trusted sources or we manage other libraries directly for better control
- We use infrastructure as code and containers that make it easier to review parts of our infrastructure
- We use soft deletion in many parts of our application to protect customer data from accidental deletion
- We store passwords securely (e.g. outside the source code) and we use alternative methods like public key cryptography or encrypted secrets
- We offer two-factor authentication to our customers and they can also create IAM roles with limited access for better security
- We ship logs over SSL and we try to reduce sensitive data contained in logs
- We perform checks on open ports
- We use firewalls
- We use a Web Application Firewall (WAF)
- We have protections against DDoS attacks
- We use trusted providers to run our service. Our main provider for IaaS is DigitalOcean, which offers certified datacenters located in Europe.