Security

Security is our first priority and we put constant effort to keep our platform secure.

If you have any questions or you want to report a security issue, please contact us by email.

We adopt many best practices to ensure the security of our service and the protection of data. For example:

• We use the best practices for web push notifications: the endpoints (i.e. the addresses of the recipients) are stored in our database and are not publicly accessible; the endpoints are also associated to cryptographic key pairs through protocols like VAPID and thus can be used only if you also have access to the private keys; we also offer a reliable way to authenticate your users (SSO) when they subscribe to push notifications
• We make daily backups of the database and we store those backups off-site; the configuration of backups ensures that they cannot be deleted, even in the case of an attack to the main application; we also periodically try to restore the database backups to ensure that everything is working properly
• Only few, high-qualified people can access to the production environment
• We enforce HTTPS on public networks
• We use isolated private networks for communication between servers
• We keep the software updated and we constantly apply security patches
• We are subscribed to multiple mailing lists to be notified immediately about CVE vulnerabilities
• We keep our application code clean and tested
• We use open source libraries only when necessary and we try to use trusted sources or we manage other libraries directly for better control
• We use infrastructure as code and containers that make it easier to review parts of our infrastructure
• We use soft deletion in many parts of our application to protect customer data from accidental deletion
• We store passwords securely (e.g. outside the source code) and we use alternative methods like public key cryptography or encrypted secrets
• We offer two-factor authentication to our customers and they can also create IAM roles with limited access for better security
• We ship logs over SSL and we try to reduce sensitive data contained in logs
• We perform checks on open ports
• We use firewalls
• We use a Web Application Firewall (WAF)
• We have protections against DDoS attacks
• We use trusted providers to run our service. Our main provider for IaaS is DigitalOcean, which offers certified datacenters located in Europe.