CISOfy and Security
We care about your data and trust. Security is our business, and we think it is serious business. Therefore we show some of the extensive security measures we have taken.
Communications to our web services occur via HTTPS, to ensure privacy and confidentiality of your data. Secure from the beginning is our motto: that is why we only provide our website via HTTPS.
Technical detailsWe use an Extended Validation (EV) certificate. This means our company details and ownership were checked and validated. TLS is being used, with the preference for TLSv1.2. The ciphers used are based on best practices, protecting against well-known attacks. HTTP Strict Transport Security (HSTS) is used to ensure HTTP connections are redirected, and browsers are instructed to use HTTPS instead. We also defined a long expiration date, so browsers will try HTTPS first. The great folks behind SSL Labs gave us a A+ score.
Session cookies are set the highest level of security (HttpOnly, Secure flag), protecting against CSRF/XSS attacks.
Regular audits, vulnerability and security scans are performed, to test our security defenses. We have security monitoring in place and use our own tooling Lynis Enterprise.
All downloads are available via HTTPS, ensuring you download comes from our systems. Additionally we provide a hash (fingerprint) of the download and a digital signature. The hash can be used to validate the integrity of the file. The digital signature validates that we are the ones who released it. We apply these signatures also to our software repository.
We are experts in system auditing. So we test our environment on a regular basis and apply security controls. This includes system hardening, software patch management, and log reviews.
Although we are interested in our customers, we avoid collecting personal information as much as possible. Only basic information is stored to process trial requests and orders. Payment details are processed by a PCI compliant 3rd party Stripe.
Deletion of data
When data is no longer, we simply delete it. Hoarding is not our thing, especially not when it comes to sensitive data. We do however make backups. They are encrypted and stored in different undisclosed locations, both online and offline.
Responsible security disclosure
When you discover an issue with our site or products, we encourage you to use responsible disclosure. We respect your privacy, so you can report issues anonymously. Use firstname.lastname@example.org for reporting any security issues. If you want to use PGP signed communications, email our founder Michael Boelen.
Protect yourself: Don't break the law.
See our public security policy for more details about how we do security management.
We thank the following people for providing tips and suggestions to make our services more secure.
- Nessim Jerbi