Security Policy

As an application entrusted with your pricing and deal data, we recognize the importance of excellent security practices. While we are a small team, we work hard to punch above our weight on security.This document covers our security practices and policies. If you are interested in the data we collect and store, please see our privacy policy.

General practices
- Access to servers, source code, and third-party tools are secured with two-factor auth.
- We use strong, randomly-generated passwords that are never re-used.
- Employees and contractors are given the lowest level of access that allows them to get their work done. 
- We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues.
- We are aggressive about applying patches and deploying quickly.We don't copy production data to external devices (like personal laptops).

Access control and organizational securityPersonnel
Our employees and contractors sign an NDA before gaining access to sensitive information.

User passwords are hashed using bcrypt before being stored, and are never stored plain text. 

Authentication is handled by the Devise Library, the open source standard for securing Ruby-based web applications. It is constantly updated to reflect the best in class standards for security.

Sessions automatically expire after a period of inactivity (configurable per client requirements).

Alternatively, we offer SSO / SAML based authentication from providers such as Okta and Azure ActiveDirectory. 

Data retention & logging
Logs are stored separately from our backend infrastructure within the log monitoring platform betterstack.

These logs are retained for 30 days, after which they are permanently deleted. Application analytics can be permanently deleted on request.

Vulnerability detection
Both the client and our backend are regularly scanned for dependencies with known security vulnerabilities.

Vulnerable dependencies are patched and redeployed rapidly.

Our backend server is hosted on Heroku, which runs on top of Amazon Web Services.
Amazon's data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)

What user data do you collect?
We're not in the business of making money off of data. We do collect information about how users are interacting with our app so we can improve the product and provide faster, more effective support when issues arise. These events include:
- Sign-In and Sign-Out events
- Interaction with features of the app (e.g. quote creation)
- Crashes and other errors

Users are identified in our system by their email address and are asked to provide a name.

Do you conduct background checks on your employees/contractors?
Yes. All employees sign an NDA and undergo a background check before starting.