Version 1.0. Last updated May 12, 2021.
At Condorsay, we take the protection of user data seriously.
This security policy describes what we do to prevent unauthorized access,
use, alteration or disclosure of customer data.
We have built our service on mature technologies with security in mind.
- All of our services run in the cloud.
Condorsay does not run our own routers, load balancers, DNS servers,
or physical servers.
- Our main service runs on Heroku.
They are a mature platform-as-a-service (PaaS) with
mature security policies.
- Django is a web application framework with
security technology to protect against XSS, CSRF,
SQL injection, click-jacking, and more.
They also have security
reporting policies to quickly address vulnerabilities.
- We run our DNS and Web Application Firewall (WAF) on Cloudflare.
We have enabled distributed
denial of service (DDOS) protection and
the OWASP Core Ruleset
which protects against SQL injection, cross-site scripting (XSS),
- We send a Strict Transport Security Header (HSTS) to the user agent
that ensures that all future requests should be made via HTTPS even
if a link is specified as HTTP.
- We use services that have their own security policies:
We only allow login using Google accounts. We do not store user passwords.
reported security vulnerabilities and updates.
- Database backups are performed daily,
and we have continuous rollback protection for 4 days.
- We run monthly security scans from ssllabs (TLS) and
securityheaders (HTTP security headers) to verify our security settings.
- We maintain best practices internally.
We use long random passwords.
Credentials are not committed to our repository.
We welcome security reports at [email protected]