Security policy

Whenever our users use our products, there’s an implicit trust agreement between our user and us not to screw things up. We’d like to make this agreement explicit by promising the following:

• We do everything in our power to secure access to our systems by keeping systems up-to-date, using good authentication practices like strong, unique passwords everywhere and hardware security modules where applicable.
• Use encryption where it’s sensible to do so (transport layer stuff like HTTPS, data encryption at rest where it’s practical)
• Never to store your password without current best-practices hashing (we won’t event know your password). Never to store your credit card data on our servers but use partners with PCI compliant systems.
• We will design our systems rather in a paranoid manner than a trusting manner: even datacenter-internal traffic between nodes is encrypted. LAN is not a magical safe place separated by a firewall from the outside bad world.
• We keep tabs on security researchers’ blogs and tweets.
• Any severe security incidents will be disclosed publicly (in our blog), to our customers via email and listed on this page.

Vulnerability reporting

We highly appreciate responsible vulnerability disclosures.

If you would like to report a vulnerability, or have any security concerns with our product, please reach out to us by email. Our PGP key is on Keybase.

For non-critical matters, we prefer that you open an issue with the appropriate product:

• For open source products, use the GitHub issues.
• For all other products, file a ticket in our support system.

Security incident history

No security incidents. Let’s keep it that way!