FeedOtter data security

Here’s a description of our technical and organisation security measures that we use to secure FeedOtter and protect your personal data.

Data location

FeedOtter is hosted on Digital Ocean’s Cloud Platform which runs on AWS. This places your data in their USA data centers. At the time of writing we use both their East and Midwest locations.

Encryption of personal data

Your data is encrypted at rest using Transparent Data Encryption .

Protecting data during transmission

Data moving through FeedOtter services is encrypted in transit using an appropriate encryption technology.

When data is moving between you and FeedOtter, everything is encrypted and sent securely using HTTPS . HTTPS is enforced with HSTS and we utilize HSTS so that the initial request to FeedOtter is also secure.

Internal access controls

Our team doesn’t have a reason to access or process customer data on a day to day basis. Processing is fully automated. It’s only if there’s a problem with an account or to help resolve a customer support question that we might need to access personal data.

All our team members have signed confidentiality undertakings and undergo GDPR training in respect of their roles.

We use role based access controls for staff and use two-factor auth on both internal apps and external services.

Resilience and availability

FeedOtter is geographically spread and load balanced across multiple Digital Ocean data center’s. It comes with extensive application and infrastructure monitoring. We maintain redundancy throughout our infrastructure in order to minimize the risk of low or slow availability or loss of data.

We use web application firewalls, rate limiting & DDOS protection to provide resilience and ongoing availability.

Managing availability

FeedOtter is hosted and load balanced across the USA West and USA Midwest regions in Digital Ocean. This setup provides continuous availability in case of an outage or issue  in either data center. The database is replicated between these regions, and backed up, to give us full resilience.

Physical security

FeedOtter is hosted within data centers provided by Digital Ocean. As such, we take advantage of their physical, environmental and infrastructure controls.

Digital Ocean is accredited with ISO and SOC which covers and accredits their physical security controls.

User identification and authorization

Passwords for signing in are hashed and salted using an PBKDF2-based function in line with the recommendations of the UK’s National Cyber Security Centre .

We suggest all users set up two-factor authentication in FeedOtter to protect their account and data.

Only you, the client, can invite and remove users and apply permission levels in your account.

Testing, evaluating and assessing the measures

We automate a lot of tests that monitor our infrastructure to make sure it’s up and running 24/7. We also use an external service to monitor availability, you can see our current and historical availability on our status page .

Event logging

All events are recorded in log files, therefore it’s possible to review when and by who personal data was entered, altered or deleted. We do not provide access to this information unless a specific event requires this data to be disclosed.

Data transfers

We use sub-processors to help deliver FeedOtter, and sometimes this means transferring your data to a 3rd party.

In all cases we make sure that an adequate level of data protection exists by assessing their security and having in place contracts based on the EU SCCs.

Data minimization and retention

An important factor in data protection is to make sure we don’t collect and store any more data than needed to provide you with FeedOtter. Every piece of data we collect and store must be backed up with a justifiable reason.

If personal data is no longer required it is deleted, either by you, the client, or by automated script when data hits its maximum retention period.

As an example, we only store customer support data for 12 months, an automated script deletes tickets that are 12 months old.

Data quality

All of the data processed is provided by you (the data controller) or your end users (the data subjects). You’ll find reporting tools within FeedOtter to help you understand, validate, and if necessary correct the data.

Data portability and deletion

FeedOtter has built-in backup and reporting tools that allow you to permanently erase data.

We don’t store debit/credit card information.

All our payments are processed through Stripe https://stripe.com They are a PCI Service Provider Level 1 organisation. Using Stripe means we don’t need to store your payment card details, they are sent encrypted direct to Stripe, we don’t store them anywhere.

You can read more about security at Stripe here: https://stripe.com/docs/security/stripe

Reporting security problems

We’re happy to work with security researchers, they’re an important part of keeping the internet a safe place to work.

Security questions or concerns?

If anything here is unclear, gives rise for concern, or you just want to understand something, then reach out to our support team .

chevron-down