We take security seriously at Minsilo. We protect your data like it's ours (because we also use Minsilo to store our important data). Here are the steps we take specifically to keep your data safe and secure.
We follow industry leading best practices for keeping your data safe and secure.
Each workspace that you create in Minsilo is stored in a separate database schema, separate from other customers. This reduces the risk of data leakage and ensures that you only have access to the data in your workspace. Every workspace is provided on a separate subdomain (e.g. yourcompany.minsilo.com).
For a fee, enterprise customers can request their workspace(s) be stored on a separate database server instance and using a separate backend application server.
All data you create in app is backed up at least nightly. File attachments and uploaded files are stored using Amazon's S3 service, which provides 99.999999999% durability and is is stored redundantly across mutliple devices and facilities. We periodically restore backups to ensure their integrity.
All data sent between your computer and our server is encrypted using HTTPS (specifically using the TLS protocol). This means that data you send and receive from us can only be viewed by you, and cannot be intercepted by hackers.
Once we recieve your data, we store it using Server-Side Encryption on AWS. This utilizes the AES-256 cipher to securely store your data at rest.
Our top consideration when selecting cloud providers is the privacy and security of your data. We only use well-known and established cloud providers for services that involve your sensitive data. All of our application-related providers are SOC 2 compliant.
We use Stripe to provide key billing functions. We follow PCI compliant practices and do not store any credit card data on our servers at any time. We only store unique idenitfiers that help us identify subscriptions that you may have with us. These identifiers do not allow additional charges to be be placed on your credit card.
Stripe is regularly audited by a PCI-certified auditor. They are certified to PCI Service Provider Level 1, which is the highest level of certification available.
Misilo provides email-and-password based authentication. Under the hood, we use the Devise library to properly handle passwords that you use with your account. These passwords are never stored in cleartext; they are always hashed and salted before being stored. You can read more about how Devise works here.
We use policy and technological controls to limit employee access to your business data. Where practical, we log access to customer data. Here is our policy for access below:
Storing too much data poses a risk to everybody involved. That's why we only store data when it's necessary to deliver the application and provide a good customer experience. This means that we:
In the event that we receive a lawful government request, we may retain data for a period longer than specified above. However, once data is deleted according to our policy, we cannot recover that data under any circumstance.
We strongly support the work of security researchers and welcome the responsible disclosure of bugs, vulnerabilities, and other security issues. At this time, we are unable to provide a bounty for vulnerabilities that you disclose to us. However, you may publicly disclose your findings 90 days after disclosure or after we patch the bug, whichever is sooner.
You can disclose vulnerabilities securely by email at firstname.lastname@example.org. Be sure to include "Responsible Disclosure" in the subject.
If you have any questions about how we handle security at Minsilo, please email us at email@example.com.