Security
In this document, we are going to analyze how Redokun works, what are the main security choices that we've taken, and what are our main security policies in the company.
If you have additional questions regarding security, see our Privacy Policy, and Terms of Service or write us at [email protected], we will be happy to answer them.
Infrastructure
Our hard infrastructure is made of servers running our main application and its ancillary services.
Data centers
Our application runs on the best data centers in the world, all of which ensure compliance with the most known industry standards:
- ISO 27001
- SOC 1 and SOC 2
The physical security of the data centers is also certified at various levels by all the data centers we use.
Data centers guarantee 24/7 security guard services, intrusion detection systems, and stringent policies for personnel access. Only a few people are allowed in the data centers, and their actions are routinely audited.
Data uploaded by our customers (e.g. documents and translations) are hosted in Europe (Ireland and Germany).
Network
All our servers and services are protected by firewalls that let traffic through explicitly allowed ports and protocols.
We rely on a global CDN (CloudFlare) which provides DDoS mitigation, shielding our servers from the open web with 155 Tbps of DDoS protection.
CloudFlare also keeps our application and APIs secure, blocks bots, and detects anomalies and malicious payloads, all while monitoring for browser supply chain attacks.
Every connection to our service and in between services is encrypted using TLS. This guarantees that all the traffic securely traverses our services and reaches our users without being compromised.
We enforce rate limiting (in various forms) to prevent malicious actors from degrading performance across different accounts and guarantee good performance for everyone.
More details
Read more about the security policies of the infrastructure providers that we use:
Payment details
To process the payments, we use Stripe and Chargebee. Both of them are PCI compliant for encrypting and processing credit card payments. We don't handle directly any credit card detail.
Development
Every change made in the production environment has previously passed a set of automated tests. We routinely do manual testing to ensure that the application has a consistent and expected behavior.
We have processes in our development cycle that ensure that we maintain a quality code base, which means that it is clean and more secure.
Routinely we upgrade dependencies in order to keep our development processes as up-to-date as possible while bringing on all the security fixes that the tools implemented.
Third parties
We interact with many third parties that are useful for various parts of the application. In every case, we give access to the minimal set of information we need to give them, and for every third party, we use a unique password/access token. In doing this, we try to minimize the risk of one system being compromised and having access to everything else.
We make sure that every third party that we use is as careful as we are on security.
Data
All the data is encrypted in transit with TLS, both internally between services and externally, when reaching the users.
We retain database backups for up to 6 months.
If you delete your document, we delete all data from the live database immediately, but we'll retain copies in our backups that are not accessible from the live system.
The user passwords are hashed using Bcrypt and then stored in our database.
Reliability
Our entire infrastructure is reliable and easy to reproduce by design. We rely on Ansible so we can reprovision our entire application in a single run.
In case of incidents, we have a team of developers getting notifications on their mobile phones so that they can take action as soon as possible. We are alerted in case of a high error rate or servers are unreachable.
We collect status metrics both on our servers and from third parties making checks from servers spread all across the globe, giving us good visibility on the status of our infrastructure.
People
Redokun's team is made of highly trained professionals that are very careful with their own personal security.
Nevertheless, we have the following team policies:
- 2FA: we access all the services hosting Redokun with 2FA-enabled accounts
- password manager: we never use the same credentials in more than one service. We create strong passwords, and we store them and third-party keys in an encrypted password manager
- remote access: we minimize the access points to our production environment
- computer security: we enforce strong passwords for our computers, we encrypt disks.
Vulnerability disclosure
If you have found a security vulnerability, please get in touch via [email protected].