The security of your personal information is important to us. We follow generally accepted standards to protect the personal information submitted to us, both during transmission and once it is received. If you have any questions about the security of your personal information, you can contact us at [email protected].
The following are the features we have applied in the design and operation of our products to manage your account security and fraud control.
Account authentication is achieved using the email address and password of the user at the login page of the system.
Passwords are required to be at a minimum of 8 characters. In the system, user’s passwords are stored in the database in encrypted hashed form. Only the generated hash is used to compare when a user authenticates, and the original plain-text password is never referenced nor stored.
Online Session Management
After the user has successfully authenticated, an online, private session is started, that grants the user access to the functions available to the account. These functions are only available within the session.
A user may log-out and destroy the online session. Likewise, the session is automatically destroyed, after 30 minutes of no activity on the account by the user.
Further, in the session, only the data belonging to the account is accessible by the user.
A payment facility is available in the system, that is only accessible inside an online session, for users with specific roles and permissions.
Payment is available to top-up credits on the account, and to pay for a plan subscription.
Top-up is performed manually by the user, and the amount is arbitrarily set by the user. A user may perform multiple top-ups on the account, until the desired credit amount is reached.
Plan subscription is charged automatically, using an automated trigger in the system, based on the billing schedule of the subscription. The charged amount is fixed, based on the price of the plan, that is set, when the user started on the subscription. A plan is only paid once per billing cycle of the subscription.
Users access the system using a web browser, over an encrypted HTTP channel. Non-secure access is not allowed, and use of it are detected, and automatically redirected to use the secure channel.
Infrastructure and Network Security
The entire system is hosted in our own Amazon Web Service (AWS) account.
Web traffic between the user’s browser to the system, is served using Amazon’s CloudFront and Elastic Load Balancer service. With CloudFront, the system is protected against known network and application layer attacks.
The resolution of the domains, where the URL of the system is based, are hosted in a route which offers good security against DNS-based attacks.
AWS complies with many security requirements, and can be reviewed on their website.
We apply best practices when providing access to our AWS account by our staff. We require all users to enable multi-factor authentication, and use key-based authentication where applicable.
The entire system is operated using AWS container service, and have shell access disabled. We have regular schedule to recycle container instances, exposing system environments to a limited period of time.