Preceden

Security

We are dedicated to the security of your data and information.

Last updated: February 7, 2022

Product Security

Development Process

We follow industry best practices, so security is baked right into our product and regular development processes including code reviews, unit & integration tests.

All engineers are required to know OWASP vulnerabilities and use libraries, frameworks, and mitigations vetted and recommended by the security community.

Vulnerability Scanning

We regularly update our servers, tools, libraries, and patching vulnerabilities as they are discovered. Our application, host, and network are automatically scanned. We also automatically detect out-of-date dependencies.

Infrastructure Security

Encryption

Data in transit runs entirely over SSL. All passwords are hashed using bcrypt and billing information is entirely managed by our PCI-compliant payments providers (Stripe and PayPal).

Secrets Management

Secrets are stored securely and never in source code. Access to our infrastructure and related services requires SSH and two-factor authentication when possible.

Monitoring and Logging

We are committed to making Preceden highly available. Our infrastructure runs on fault-tolerant systems and backups are made daily. We leverage redundant third-party providers to provide 24/7 monitoring and alerting of any downtime.

Trust and Verification

Compliance

Preceden is hosted on Heroku, a cloud application platform used by organizations of all sizes to deploy and operate applications throughout the world. Preceden is deployed to the United States (US) region. For information about data residency, see Heroku's documentation on data residency for Postgres applications.

Heroku’s physical infrastructure is hosted and managed within Amazon’s secure data centers and utilize the Amazon Web Service (AWS) technology. Amazon continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. Amazon’s data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Security Research

We welcome responsible security research and disclosure on our product and infrastructure. Potential vulnerabilities can be reported by emailing [email protected]. Valid findings will be considered for compensation.