The security of your data is a priority for us. We follow high security standards for our whole infrastructure, including encryption and compliance with recognized recommendations. For the sake of transparency and continuous improvement, you will find below a list of the measures we are implementing.
Our applications are hosted on servers provided by OVH SAS , within the So you Start and OVH Private Cloud ranges. Our servers run on Ubuntu 18.04. Administration access to these servers is restricted to a very small number of people and requires strong authentication techniques (mandatory RSA keys and disabling of password access). You can see the details of our SSH access configuration on the Rebex SSH Check website.
On our servers, your data is always encrypted. On our So you Start servers (provided by OVH SAS), your data is stored in TrueCrypt containers (we use TrueCrypt version 7.1a-13). On our OVH Private Cloud servers (provided by OVH SAS), your data is stored on LUKS encrypted partitions (we use the cryptsetup 2.0.2 version).
Data transiting between your device and our application servers is encrypted, both during upload and download. This is confirmed by the padlock in the address bar of your browser and the URL that indicates the use of HTTPS (in our case, HTTP with TLS 1.2 encryption).
We redirect all HTTP traffic (port 80) to HTTPS (port 443) and have set up the HSTS settings to tell your browser to do the same.
OWASP is an open community working on web application security. In particular, they publish a list of the ten most critical safety risks. We pay a particular attention to the top ten risks mentioned in the latest 2017 version of this list.
Thanks to Laravel's default configuration, we are also protected from CSRF attacks (one of the ten risks in the 2013 version of the OWASP list). Indeed, all our entry points triggering an action (HTTP requests such as DELETE, POST, PUT or UPDATE) require the presence of a token linked to the session.
We drive intrusion tests every year to assess the security of our infrastructures and applications. Our last intrusion tests (black and grey box) have been performed by Novidy's on September 2019, and by Synetis on November 2020.
Since the first release, we have been inviting our users and security researchers to report vulnerabilities they suspect or have identified. To do this, we follow the requirements of securitytxt.org (a proposed standard to allow websites to define their security policy). In particular, we have set up a dedicated contact address and we respond to all incoming messages.