Security at

We, at, place security at the core of what we do and believe that it is essential to keeping our promise to our users. We have procedures, checks, and audits in place to systematically help guarantee everyone uses our service in a secure and safe manner.

Used by +15,000 powerful teams worldwide

Data protection

Data at rest

Along with cloud storage buckets, every datastore that contains client data is secured at rest. Row-level encryption is also used by sensitive collections and tables. Consequently, neither physical access to the database nor logical access to the database are sufficient to read the most sensitive data because the data is encrypted even before it reaches the database.

Data in transit

Every time data is transmitted to our services, employs TLS 1.2 or a later version. To increase the security of our data while it is in transit, we additionally use features like HSTS (HTTP Strict Transport Security). Cloudflare manages the server TLS keys and certificates, and they are distributed using application load balancers.

Secret management

Application secrets are securely encrypted and kept in key vault service, with only authorized users having access to these values. Also we leverage detailed audit logs that track who accessed which secrets and when for compliance purposes and for detecting any unusual or unauthorized activity.

Product security

Penetration testing

A skilled security team at frequently performs penetration testing for both minor and significant changes. These audits include every aspect of the products, including web applications, mobile applications, and cloud infrastructure, and security engineers have full access to the source code to find security flaws in order to maximize efficacy and coverage.

Vulnerability scanning

At crucial points in our Secure Development Lifecycle (SDLC), demands vulnerability scanning:

  • Code static analysis (SAST) testing is carried out continuously and during pull requests.
  • To find known vulnerabilities in our software supply chain, we use software composition
analysis (SCA).
  • Periodic network vulnerability scanning.

Enterprise security

Endpoint protection

All business devices have mobile device management software installed on them as well as anti-malware security. To enforce secure endpoint configuration, including password manager, disc encryption, screen lock configuration, and software upgrades, we employ MDM software.

Secure remote access protects remote access to internal resources with sophisticated identity-aware-proxy technology, an access tool utilized by the development team for SSH, Kubernetes, databases, internal web applications, and Windows. We avoid phishing by relying on biometrics and machine identification, and its zero-trust design prevents attacker pivots

Security education

  • provides comprehensive security training to all employees upon onboarding and annually through educational modules within the Vanta platform. In addition, all new employees attend a mandatory live onboarding session centered around key security principles.
  •’s security team shares regular threat briefings with employees to inform them of important security and safety-related updates that require special attention or action.

Identity and access management

  • secures our identity and access management with Azure AD. We mandate the usage of phishing-resistant authentication factors, and if feasible, we employ SSO.
  • Customer data is only accessible to authorized workers who need it for operational and maintenance purposes.
  • Employees at are allowed access to applications based on their function and are automatically deprovisioned upon cessation of employment. Additional access must be granted in accordance with the policies established for each application.

Vendor security approaches vendor security from a risk-based perspective. A vendor's inherent risk rating is influenced by the following factors:

  • Access to customer and corporate data
  • Integration with production environments
  • Potential harm to the brand

Once the inherent risk rating has been determined, the security of the vendor is evaluated in order to determine a residual risk rating and an approval decision for the vendor.

Failover and disaster recovery

Our whole production infrastructure is structured with redundancies in highly available configurations dispersed across various availability zones. To retrieve crucial data, an auto-backup policy is in place.

Inventory and configuration

Terraform is used to keep infrastructure as code, with modifications happening through a procedure very similar to the application-level software development process. We employ distinct infrastructure for development, staging, and live environments, with no data sharing between them.

Monitoring and logging

  • We do thorough monitoring of infrastructure and application performance, which helps us spot problems before many clients do. Automated alerts with on-call schedules are set up, with escalation to all other members of the devops team.

  • Our security team use security monitoring to detect and respond to application assaults, abnormalities, and suspicious activity.

We Use Cookies To give you the best experience on our website. Cookies help improve website functionality, analyze website traffic, and enable our marketing activities. By continuing to use our site, you agree to our use of cookies. For more details, please see our Privacy Police