Effective May 7, 2018
The following information aims to give you a better understanding of our security practices and compliance attestations.
Use of Encryption & Hashing
We have designed EasyRedir and our third-party integrations to ensure the confidentiality of your information. One method we use to achieve this is through the use of encryption. The following points explain the specific steps we’ve taken:
- The EasyRedir dashboard and marketing website enforce encrypted connections by redirecting any unencrypted requests to the encrypted version of that resource. Also, both these websites use HSTS to ensure web browsers do not attempt to connect to unencrypted URLs.
- Server instances which serve URL redirects and the EasyRedir dashboard have encrypted filesystems.
- Systems that store personally identifiable information require encrypted connections and encrypt data at rest. Additionally, highly sensitive data (e.g. SSL private keys) are further encrypted with AES-256-GCM and the encryption keys are rotated regularly.
- We only use TLS encrypted connections to transmit information to third-party vendors we work with, and only for the purporses of providing our service.
- Bulk data (e.g. logs, analytics data, etc.) are encrypted during transmission and at rest. Encryption is automatically enfored using policies.
- All passwords in EasyRedir are salted and peppered - we never store your actual password.
Use of Network Segmentation
We have engineered EasyRedir to make use of network segmentation whereby we isolate components of our infrastructure from each other. Here are some specifics:
- None of the infrastructure directly processing URL redirects or the EasyRedir dashboard is directly accessable from the Internet.
- Each type of component in our infrastructure lives within its own subnet, and those subnets are isolated from each other using network ACLs.
- Each infrastructure component has a security group assigned to it ensuring it can only communicate with other systems as required.
- All system logs are instantaneously shipped off-site to trusted third-party vendors ensuring auditability in the event of a breach.
Data Retention and Deletion
We understand that you own your data, and you should have ultimate control over it. Here are some specifics on what we do with your data when you cancel your account:
- If you delete your organization account, we immediately remove your URL redirects, SSL certificates, and team membership records from our systems. We also delete your payment information from our billing systems.
- If you delete your user account, we immediately remove your user account and all associations to any organizations you may belong to.
- We will retain any communication we have had with you for legal and anti-fraud purposes.
- We will retain all aggregated data we have assembled based on your usage of EasyRedir. This will not include any personally identifiable data.
- Our logging storage systems are configured with policies that automatically schedule for deletion any logs older than 6 months.
- Our raw analytics storage systems (which may contain your IP address, or the IP addresses of visitors to websites you were redirecting through EasyRedir) are configured with policies that automatically schedule for deletion any logs older than 30 days.
We are PCI compliant with PCI DSS v3.2, Rev 1.1 and have a PCI SAQ-A certification we can share with you if required. Get in touch at email@example.com.
We are GDPR compliant. Please see our Data Processing Addendum for further information.
ISO 27001 Compliance
EasyRedir is not specifically ISO 27001 compliant, but the data centers we use are. If you require attestation documentation for this, please get in touch. We can point you in the right direction to get these documents.
EasyRedir is not specifically SOC compliant, but the data centers we use are. If you require attestation documentation for this, please get in touch. We can point you in the right direction to get these documents.
Privacy Shield Compliance
We are not a member of the Privacy Shield framework, but we are considering self-certification. Please let us know if this is important to you by emailing us at firstname.lastname@example.org.
EasyRedir is not subject to HIPAA compliance because we do not create, use, store or transmit Protected Health Information, nor do we enable our customers to do so.
We are truly thankful when white-hat security professionals responsibly disclose security vulnerabilities they find to us. If you would like to report a vulnerability, please email us at email@example.com. Although we do not have a formal bug bounty program, depending on the nature of the vulnerability, we may consider sending a small “thank you”.