Here’s a description of our technical and organisation security measures that we use to secure FeedOtter and protect your personal data.
FeedOtter is hosted on Digital Ocean’s Cloud Platform which runs on AWS. This places your data in their USA data centers. At the time of writing we use both their East and Midwest locations.
Your data is encrypted at rest using Transparent Data Encryption .
Data moving through FeedOtter services is encrypted in transit using an appropriate encryption technology.
When data is moving between you and FeedOtter, everything is encrypted and sent securely using HTTPS . HTTPS is enforced with HSTS and we utilize HSTS so that the initial request to FeedOtter is also secure.
Our team doesn’t have a reason to access or process customer data on a day to day basis. Processing is fully automated. It’s only if there’s a problem with an account or to help resolve a customer support question that we might need to access personal data.
All our team members have signed confidentiality undertakings and undergo GDPR training in respect of their roles.
We use role based access controls for staff and use two-factor auth on both internal apps and external services.
FeedOtter is geographically spread and load balanced across multiple Digital Ocean data center’s. It comes with extensive application and infrastructure monitoring. We maintain redundancy throughout our infrastructure in order to minimize the risk of low or slow availability or loss of data.
We use web application firewalls, rate limiting & DDOS protection to provide resilience and ongoing availability.
FeedOtter is hosted and load balanced across the USA West and USA Midwest regions in Digital Ocean. This setup provides continuous availability in case of an outage or issue in either data center. The database is replicated between these regions, and backed up, to give us full resilience.
FeedOtter is hosted within data centers provided by Digital Ocean. As such, we take advantage of their physical, environmental and infrastructure controls.
Digital Ocean is accredited with ISO and SOC which covers and accredits their physical security controls.
Passwords for signing in are hashed and salted using an PBKDF2-based function in line with the recommendations of the UK’s National Cyber Security Centre .
We suggest all users set up two-factor authentication in FeedOtter to protect their account and data.
Only you, the client, can invite and remove users and apply permission levels in your account.
We automate a lot of tests that monitor our infrastructure to make sure it’s up and running 24/7. We also use an external service to monitor availability, you can see our current and historical availability on our status page .
All events are recorded in log files, therefore it’s possible to review when and by who personal data was entered, altered or deleted. We do not provide access to this information unless a specific event requires this data to be disclosed.
We use sub-processors to help deliver FeedOtter, and sometimes this means transferring your data to a 3rd party.
In all cases we make sure that an adequate level of data protection exists by assessing their security and having in place contracts based on the EU SCCs.
An important factor in data protection is to make sure we don’t collect and store any more data than needed to provide you with FeedOtter. Every piece of data we collect and store must be backed up with a justifiable reason.
If personal data is no longer required it is deleted, either by you, the client, or by automated script when data hits its maximum retention period.
As an example, we only store customer support data for 12 months, an automated script deletes tickets that are 12 months old.
All of the data processed is provided by you (the data controller) or your end users (the data subjects). You’ll find reporting tools within FeedOtter to help you understand, validate, and if necessary correct the data.
FeedOtter has built-in backup and reporting tools that allow you to permanently erase data.
All our payments are processed through Stripe https://stripe.com They are a PCI Service Provider Level 1 organisation. Using Stripe means we don’t need to store your payment card details, they are sent encrypted direct to Stripe, we don’t store them anywhere.
You can read more about security at Stripe here: https://stripe.com/docs/security/stripe
We’re happy to work with security researchers, they’re an important part of keeping the internet a safe place to work.
If anything here is unclear, gives rise for concern, or you just want to understand something, then reach out to our support team .