Security Policy

Last updated: 04 January 2018

Need to report a security vulnerability?

Please visit our security page: https://www.podaris.com/.well-known/security.txt for information about our responsible disclosure process and to submit a vulnerability report.

Data Security

We require users to authenticate themselves and establish a secure, encrypted connection in order to send data to Podaris.

Our web services are protected by industry standard firewalls, which limit non-essential connections/communications with devices outside of Podaris’s secure network.

We protect authentication tokens from other, potentially malicious websites.

We enforce HTTP Strict Transport Security and take measures to prevent Cross-site Scripting attacks.

Data on disk is encrypted using 256-bit AES encryption.

When you sign up for a paid account on Podaris, we do not store any of your card information on our servers. Customer card data and payment processing is handled by Stripe, a company dedicated to storing your sensitive data on PCI-Compliant servers.

Data Reliability and Control

All Project Data on Podaris are backed up multiple times per day, and we maintain a trail of backups for approximately one year. This minimizes the likelihood that Project Data will be accidentally lost. Backups are replicated across multiple, geographically dispersed data centers.

We regularly test our backup restoration procedures.

In general, Podaris personnel are prohibited from viewing your Project Data without your permission, except that Podaris personnel may access your Project Data as reasonably necessary to support, maintain and troubleshoot its systems. If we access your Project Data for these purposes, we will not further disclose your Project Data and will not use it for any other purposes.

If you require a full or partial export of your Project Data stored in Podaris you can use the in-application button to do so at anytime.

An important part of maintaining the security of your Data is being able to authenticate your identity when you access it. We identify you by your email address, which you are required to verify before collaborating with other users. You then set a password to protect your account. We never store passwords on client computers or inside plugins.

If you ever decide to delete an account that you own by yourself, backups that contain your Project Data will be expired and deleted over the course of the next year, unless specifically required for legal or other purposes, as outlined in our Privacy Policy. However, Project Data that you created as a collaborator of other projects may continue to be available to them, so as to not disrupt their usage of the service.

Passwords are securely hashed in accordance with industry best practices.

We never store passwords in plain text

System Security

Distributed Denial of Service (DDoS) mitigation services powered by industry-leading solutions.

Our services are hosted using Microsoft's cloud services.

Systems access logged and tracked for auditing purposes.

We protect your login from brute force attacks with rate limiting. All passwords are filtered from all our logs and are one-way encrypted in the database using bcrypt. Login information is always sent over SSL.

Monitoring

We make reasonable efforts to monitor our servers 24/7, looking out for any incursion. We will make reasonable efforts to notify you of and respond promptly to any unauthorized use or disclosure of your Data.

What you can do

Despite all of our efforts described above, we will never be able to absolutely guarantee the security of your Data. You should always take every precaution available to help protect access to your account and ensure the security of your Data. Here are some suggested best practices for helping to keep your account secure:

Podaris will not be responsible for loss, damage, corruption, theft or unauthorized access of or to your Data that occurs despite Podaris’s precautions described above.

We're extremely concerned and active about security, but we're aware that many companies are not comfortable hosting data outside their firewall. For these companies we offer Podaris Enterprise on-site, a version of Podaris that can be installed to a server within the company's network.