It doesn't matter if you're a solo customer or you're one of our very security-sensitive customers within highly regulated industries (such as finance/banking, healthcare, etc.) we take the security of your data extremely serious.
Below are some of the measures taken to secure our systems and your data.
All networking connections throughout the system use encrypted TLS connections. We host our data and APIs on Google infrastructure while static content (such as this) are hosted on Netlify. The managed systems we use from Google are ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3 certified/compliant and Netlify is SOC 2 compliant.
In addition to the certifications for our data/API layer mentioned above, we leverage Google's managed database and file storage infrastructure to provide top-tier server security of data/storage layers. All data is encrypted before it's written to disk. With this infrastructure, Google manages the cryptographic keys using the same hardened key management systems that they use for Google's own encrypted data, including strict key access controls and auditing. Our database objects/data and metadata are encrypted under the 256-bit Advanced Encryption Standard, and each encryption key is itself encrypted with a regularly rotated set of master keys managed by Google.
When users capture observations using the Web Observer extension, those observations are not sent to our servers until the user uploads them manually - they stay on the user's device. Users can choose which observations they would like to upload. When uploading and anytime after, users can specify the access levels for the observations they have uploaded to control how other users may access them - by default observations are private.
We leverage Google's authorization services to offload all management of passwords and oAuth access-tokens. The means Web Observer offloads security of password and sensitive token stoage to Google and their highly fortified infrastructure. This authentication mechanism provided by Google is ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3 certified/compliant.
All employees receive security training during onboarding and at-least once per year going forward. We enforce operational requirements that include: usage of password managers, encryption of computers, MFA for all business accounts (where possible), leveraging VPN on potentially insecure networks.
Only absolutely required employees - as few as we possible to ensure service reliability/uptime - have access to production databases and servers. All other engineering, development, and pre-produciton testing happen on local or pre-production environments which are completely separate systems from our production system that hosts customer data.
We work hard to secure your data but we are always interested in knowing if there are ways to improve. So if you have any questions or comments about our security, let us know - we appreciate your help!