Version 1.0. Last updated May 12, 2021.

Introduction

At Condorsay, we take the protection of user data seriously. This security policy describes what we do to prevent unauthorized access, use, alteration or disclosure of customer data.

Infrastructure

We have built our service on mature technologies with security in mind.

1. All of our services run in the cloud. Condorsay does not run our own routers, load balancers, DNS servers, or physical servers.
2. Our main service runs on Heroku. They are a mature platform-as-a-service (PaaS) with mature security policies.
3. Django is a web application framework with mature security technology to protect against XSS, CSRF, SQL injection, click-jacking, and more. They also have security reporting policies to quickly address vulnerabilities.
4. We run our DNS and Web Application Firewall (WAF) on Cloudflare. We have enabled distributed denial of service (DDOS) protection and the OWASP Core Ruleset which protects against SQL injection, cross-site scripting (XSS), and more.
5. We send a Strict Transport Security Header (HSTS) to the user agent that ensures that all future requests should be made via HTTPS even if a link is specified as HTTP.
6. We use services that have their own security policies: prefinery.

Password policy

We only allow login using Google accounts. We do not store user passwords.

Policies

1. We check our python and javascript dependencies daily for reported security vulnerabilities and updates.
2. Database backups are performed daily, and we have continuous rollback protection for 4 days.
3. We run monthly security scans from ssllabs (TLS) and securityheaders (HTTP security headers) to verify our security settings.
4. We maintain best practices internally. We use long random passwords. Credentials are not committed to our repository.

Security Reports

We welcome security reports at [email protected]