Security and Compliance
Effective May 9, 2024
This document outlines our commitment to safeguarding the security and privacy of the data you entrust to us. Here, you will find detailed information about how we host and manage our services, our compliance with international security standards, our data protection practices, and the measures we take to ensure the integrity and availability of our systems.
Hosting
Our application components are hosted across multiple services:
- Netlify: Hosts static assets and client-side code.
- Firebase: Manages user authentication and backend functionalities.
- Hetzner: Provides server infrastructure.
- MongoDB Atlas: Stores application data on clusters hosted on Google Cloud Platform.
Authentication
Users can access our Services using either Email/Password authentication or Google OAuth 2.0. Currently, we do not support Two-Factor Authentication.
Session Management
Session tokens are automatically renewed unless explicitly revoked by the user. We implement an invalid password lockout policy to enhance security.
Compliance Certifications
Our servers and infrastructure providers are compliant with major security standards:
- Netlify: SOC 2 Type 2 and ISO 27001 certified. More Info
- Hetzner: ISO 27001 certified. More Info
- Firebase: ISO 27001, SOC 1, SOC 2, and SOC 3 compliant. More Info
- MongoDB Atlas: SOC 2 Type 2 and ISO 27001 certified. More Info
Data Storage
Data related to rooms (titles, customization, timers, messages, logs) is stored on MongoDB Atlas clusters located in South Carolina (us-east1), with backups retained for three months. Images (custom logos, backgrounds, etc.) are stored in a Google Cloud Platform storage bucket under an “EU (multiple regions in European Union)” policy.
Security Practices
- Data Deletion: Upon deletion, room data and user accounts are purged from our systems within 30 days. All backups are erased within three months.
- Desktop App: Available for Mac and Windows, it operates solely on the local file system without cloud interaction. It periodically checks for updates via HTTP requests, but blocking these requests does not affect app functionality.
Backup and Recovery
Our data recovery strategy includes:
- Hourly Snapshots: Taken every 6 hours with a retention period of 7 days.
- Weekly Snapshots: Taken every Saturday with a retention period of 4 weeks.
- Monthly Snapshots: Taken on the last day of each month with a retention period of 3 months.
System Integrity and Redundancy
- Testing: We perform automated tests prior to any system update to ensure the integrity of critical functions.
- Redundancy: Critical systems maintain at least triple redundancy to guarantee high availability. Our system’s reliability can be monitored on our status page.
Security Measures
- Data Encryption: All data in transit is encrypted using SSL. However, data stored on our systems is not encrypted at rest but is safeguarded through strong authentication and security protocols.
- Third-Party Access: Access to live user data is strictly limited to authorized staff. Confidentiality agreements are in place with contractors and business associates, and where feasible, they work on test or anonymized data to prevent unauthorized access to sensitive information.
For more details on which third-party services we use that may receive personal information, please refer to our Privacy Policy.