Nifty Accreditor Security Details

We value your data and are dedicated to ensuring its safety and protection. This document details how we handle your data securely during its transmission and storage.

If you are interested in the data we collect and store, please see our Privacy Policy.

General Practices and Organisational Security

Here are some of the best practices we’ve adopted:

• Access to servers, source code, and third-party tools are secured with two-factor authentication.
• We use strong, randomly-generated passwords stored in a password manager (1Password).
• Anyone who needs access to the system is given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data.
• We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are proactive in applying patches and swiftly deploying updates.
• We don’t copy production data to external devices (like personal laptops).

Authentication

When users sign up for Nifty Accreditor, we create a user record in our database that includes:

• Full name
• Email address
• Hashed password (using bcrypt)

When a user signs in, we generate an encrypted session token stored in browser cookies.

Encryption

All application pages are encrypted with TLS 1.3 via certificates managed by Let’s Encrypt, our certificate provider.

Infrastructure and Hosting

• Our application and database server is hosted with Akamai Linode in the Sydney, Australia data centre.
• We use Amazon Web Services for various purposes including file storage and backups, in the ap-southeast-2 region (Sydney, Australia).
• For geographic redundancy, backups are replicated to Rsync.net in the Fremont, California, USA data centre.

Amongst other reasons, these providers were selected for their security track record and commitment to industry-standard best practices.

Akamai Linode’s data centre operations have been accredited under:

• IRAP, Australian Government Security Standards
• ISO 27001, ISO 27017, ISO 27018, ISO 27701
• SOC 2, Type 1 and 2

Amazon's data centre operations have been accredited under:

• IRAP, Australian Government Security Standards
• ISO 27001
• SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)

Rsync.net’s data centre operations have been accredited under:

• SSAE16/SAS70
• GDPR/DPA
• HIPAA/HI-TECH

Learn more about their security practices:

• Security at Linode | Akamai
• AWS Cloud Security
• Rsync.net Systems and Data Security

Architecture Diagram

Vulnerability Detection

The application is regularly scanned for dependencies with known security vulnerabilities.

Vulnerable dependencies are patched and redeployed rapidly.

Error Monitoring

Application errors are tracked using Bugsnag, and retained for 7 days. All data sent to Bugsnag is encrypted in transit.

Software Development Practices

We value shipping software at high-velocity, but not so fast we sacrifice quality or, most importantly, data security.

• We maintain a rigorous automated test suite, linters, static type checker, and code formatter that is enforced via continuous integration before deployment.
• We maintain local testing environments for manual QA testing.
• Features are often deployed behind a feature flag before fully rolling them out to all customers.
• We perform continuous error monitoring with Bugsnag, to quickly identify bugs.
• Error monitoring notifies our developers when production errors occur.
• We follow up with customers who are known to have encountered an error in production.

FAQs

Are you SOC 2 or ISO 27001 certified?

While we’d eventually love to achieve these certifications, we don’t hold them at this time. Our infrastructure and hosting providers do hold these certifications, though. See section “Infrastructure and Hosting” for details.

How do I report a potential vulnerability or security concern?

Please email us at contact@niftyaccreditor.com. We do not provide compensation for independent reports at this time.