Effective: 1-Jan-2016
This document is an electronic record in terms of the Information Technology Act, 2000 and rules made thereunder. Further, this electronic record is generated by a computer system and does not require any physical or digital signatures. This electronic record is published in accordance with the relevant provisions of the Information Technology Act, 2000 and rules made thereunder.
We take the security of your data very seriously. As transparency is one of our core principles, we aim to be as clear and open as we can about the way we handle security.
If you have additional questions regarding security, we are happy to answer them. Please write to [email protected] and we will respond as quickly as we can.
We place strict controls over our employees’ access to the data you and your users make available via the services at this platform, as more specifically defined in your agreement with us covering the use of our services ("Customer Data"), and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it. The operation of our services requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with our services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.
All of our employees and contract personnel are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance with us.
We conduct background checks on all employees before employment, and employees receive security training during onboarding as well as on an ongoing basis. All employees are required to read and sign our comprehensive information security policy covering the security, availability, and confidentiality of our services.
The following security-related audits and certifications are applicable to our services:
The environment that hosts our services maintains PCI DSS and HIPAA certifications for its data centers. For more information about their certification and compliance, please visit the Linode compliance and the Linode security.
In addition to the work we do at the infrastructure level, in future, we may provide Team Administrators of paid versions of our services with additional tools to enable their own users to protect their Customer Data.
Web framework level detailed access logs are available both to users and administrators of paid teams. We log every time an account signs in, noting the type of device used and the IP address of the connection.
Team Administrators and owners of paid teams can review consolidated access logs for their whole team. We also make it easy for administrators to remotely terminate all connections and sign out all devices authenticated to our services at any time, on-demand.
User can setup two-factor authentication (2FA) using the third-party authetication mechanisms available at this platform. For example: A user can identify itself to our services using its Google account where 2FA is activated. In future, we plan to activate the features for Team Administrators to require all users to set up two-factor authentication on their accounts using this platform directly, in addition to third-party 2FA solutions.
All teams whether paid of free can integrate their services instance with a variety of single-sign-on providers. Teams can use Facebook, Twitter, Linkedin, Google Apps for Domains as their authentication provider.
Owners of paid teams can configure custom data retention policies on a team-wide and per-service basis. Setting a custom duration for retention means that data or files older than the duration you set will be deleted periodically. If such feature is not available due to any reason, we retain all available data in the platform.
We provide the option for Team Owners to delete Customer Data at any time during a subscription term. Within 24 hours of Team Owner initiated deletion, We hard deletes all information from currently-running production systems (excluding team and service names, and search terms embedded in URLs in web server access logs). Our services backups are destroyed within 30 days.
Our services include the following export capabilities:
Our services implemented the best available Transport Layer Security (TLS) with the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. We proudly sport A+ rating at ssllabs, HTTP Strict Transport Security (HSTS) for robust security. Customer Data will be encrypted at rest, in future if not already implemented in an update.
We monitor the changing cryptographic landscape closely and work promptly to upgrade the service to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve. For encryption in transit, we do this while also balancing the need for compatibility for older clients.
We understand that you rely on our services to work. We're committed to making us a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centers. Our operations team tests disaster-recovery measures regularly and have an around-the-clock on-call expert technician team to quickly resolve unexpected incidents.
Customer Data is stored redundantly at multiple locations in our hosting provider’s data centers to ensure availability. We have well-tested backup and restoration procedures, which allow recovery from a major disaster. Customer Data and our source code are automatically backed up in nightly, weekly, fortnightly and monthly sets. The Operations team is alerted in case of a failure with this system. Backups can be fully restored to working systems in the quickest time possible subject to the size of the data.
In addition to sophisticated system monitoring and logging, we have implemented two-factor authentication for all server access across our production environment. Firewalls are configured according to industry best practices and all ports are blocked by configuration except the mandatory ports. We have also implemented the automated process to block and ban the IP addresses that attempt any supicious activity. Network administrators in our team are alerted on email with all the details of any such suspicious activity as soon as it is auto-blocked and auto-banned.
We perform automated vulnerability scans on our production hosts and remediate any findings that present a risk to our environment. We enforce screens lockouts and the usage of anti-malware, anti-virus software on all devices with vulnerable operating systems.
We maintain an extensive, centralized logging environment in its production environment which contains information pertaining to security, monitoring, availability, access, and other metrics about our services. These logs are analyzed for security events via automated monitoring software, overseen by the security team.
In the event of a security breach, we will promptly notify you of any unauthorized access to your Customer Data. We have incident management policies and procedures in place to handle such an event.
New features, functionality, and design changes go through a security review process facilitated by the security team. In addition, our code is audited with automated static analysis software, tested, and manually peer-reviewed prior to being deployed to production. The security team works closely with development teams to resolve any additional security concerns that may arise during development.
We also plans to operate a security bug bounty program. Security researchers around the world can continuously test the security of our services, and report issues via the program.