Version 1.0. Last updated May 12, 2021.
Introduction
At Condorsay, we take the protection of user data seriously.
This security policy describes what we do to prevent unauthorized access,
use, alteration or disclosure of customer data.
Infrastructure
We have built our service on mature technologies with security in mind.
- All of our services run in the cloud.
Condorsay does not run our own routers, load balancers, DNS servers,
or physical servers.
- Our main service runs on Heroku.
They are a mature platform-as-a-service (PaaS) with
mature security policies.
- Django is a web application framework with
mature
security technology to protect against XSS, CSRF,
SQL injection, click-jacking, and more.
They also have security
reporting policies to quickly address vulnerabilities.
- We run our DNS and Web Application Firewall (WAF) on Cloudflare.
We have enabled distributed
denial of service (DDOS) protection and
the OWASP Core Ruleset
which protects against SQL injection, cross-site scripting (XSS),
and more.
- We send a Strict Transport Security Header (HSTS) to the user agent
that ensures that all future requests should be made via HTTPS even
if a link is specified as HTTP.
- We use services that have their own security policies:
prefinery.
Password policy
We only allow login using Google accounts. We do not store user passwords.
Policies
- We check our python and javascript dependencies daily for
reported security vulnerabilities and updates.
- Database backups are performed daily,
and we have continuous rollback protection for 4 days.
- We run monthly security scans from ssllabs (TLS) and
securityheaders (HTTP security headers) to verify our security settings.
- We maintain best practices internally.
We use long random passwords.
Credentials are not committed to our repository.
Security Reports
We welcome security reports at
[email protected]