EasyRetro Security

Access control and organization security

Personnel

All our contractors sign confidentiality agreements before gaining access to our codebase and data. We don't do background checks on our contractors but we have a hiring process that has several steps including code challenge review, portfolio analysis and interviews.

Data Access

Our infrastructure is based on Firebase (and Google Cloud). We don't manage our own servers because we use Firebase platform (backend as a service). Access to Firebase dashboard and data is done by two factor authentication.

Code Practices

We ensure we have high quality code by using unit tests, integration tests, end-to-end tests and code analysis tools (Code Climate) for continuous integration. We also have a staging environment to run manual tests, once we ensure everything is fine we deploy it to production. We do deploys almost every week.

Penetration Testing

EasyRetro undergoes black box penetration testing, conducted by an independent, third-party agency, once a year. For black box testing, EasyRetro provides the agency with an real admin account for testing all features and extra details about endpoints and software architecture.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. EasyRetro will provide a summary of penetration test findings upon request.

Data protection

End to End Encryption

EasyRetro provides data encryption in transfer via 256 bit Secure Socket Layer (SSL) technology and SHA-256 with RSA Encryption algorithm. Our SSL has a grade A+ on SSL Labs quality report.

We use Google Cloud Platform to store all our data and it has default encryption at rest using either AES256 or AES128 technology. You can read more about Google Cloud encryption here: https://cloud.google.com/security/encryption-at-rest/.

reCAPTCHA

We use Google reCAPTCHA security service that protects EasyRetro from spam and abuse. We use it on our login form to block bots.

Password Encryption

Our passwords are stored securely by using bcrypt technology provided by Google Cloud. We also enforce strong password complexity by requiring minimal of 8 chars, 1 uppercase, 1 lowercase and 1 number upon registration on the app.

Email verification

Users are required to verify the ownership of the account email via a link provided in an automated e-mail prior to create data in EasyRetro.

Payments

Payments are provided by Paddle, our third party provider. We don't store any billing information on our servers. Paddle is PCI-Compliant and adhere to the Payment Card Industry Data Security Standard. Once you cancel your subscription, payment information is deleted automatically from Paddle. You can read more about it here: https://paddle.com/taxes-fraud-compliance/.

Single Sign On

EasyRetro provides SAML SSO option for large enterprise accounts. This allows companies to control access using internal systems. You can read more about our integration here SSO Information

Data center and backups

Data Center

EasyRetro is hosted on Firebase that is part of Google Cloud Platform. Our data is hosted in US Central. Google Cloud is a very secure platform that has multiple certifications: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS and CSA. You can read more about it here: Google Cloud Security, Google Cloud Infrastructure Design, Google Cloud Security Whitepaper, Google Cloud SOC 3 report, Firebase Privacy and Security and Google Cloud Data Center Security Video.

Physical Access Control

EasyRetro is hosted on Google Cloud Platform. Google data centers feature a layered security model, including extensive safeguards such as: Custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors and biometrics.

Backups

EasyRetro does regular backups once per day. All backups are encrypted by default. Backups are deleted after 30 days of being created.

Data privacy

Data Belongs to You

We strongly believe that your data belongs to you. You can modify it, export it and delete it whenever you want. You can read more about what data we collect and how we use it on our Privacy Policy .

Availability and business continuity

Availability

EasyRetro uses Firebase services extensively, and it's hosted on Google Cloud Platform which is a very reliable service and has high availability. You can check Firebase live status here https://status.firebase.google.com/.

Attack Prevention & Mitigation

We use Firebase for authentication services and it has a monitor feature to block IP's that are trying to attack us. Firebase limit the number of new Email/Password and Anonymous sign-ups from our application with the same IP address.

Also Google Cloud Platform’s intrusion detection involves tightly controlling the size and make-up of Google’s attack surface through preventative measures, employing intelligent detection controls at data entry points, and employing technologies that automatically remedy certain dangerous situations.

We protect our backend resources from abuse with App Check. App Check is a tool from Firebase that detects invalid requests and intrusions and utilizes reCAPTCHA v3 technology. You can read more about it here: https://firebase.google.com/docs/app-check.

Security Incidents

Have you noticed any abuse, bug or found a security issue on the app? You can report any vulnerabilities to security@easyretro.io. In the event of an security incident, we will contact all customers involved, and work with you throughout.

Business Continuity

EasyRetro keeps daily encrypted backups of data on Firebase. While never expected, in the case of production data loss, we will restore data from these backups.