A lot of the questions Sarah and I have been asked since we launched Heavenly Organised a couple of weeks ago have been around security. It’s understandable, given the number of leaks involving private information in the past few years, for us all to be worried about the data we share online.
At Heavenly Organised we take security very seriously. Noothing is more important to us than the privacy of our user’s data. Part of our commitment to keeping user’s data safe is a commitment to transparency. We have a strong belief that transparency breeds trust, and trust is one of the foundations we want to build our business on.
In this blog post, I’m going to try my best at explaining the security features in Heavenly Organised. I’ll start at the physical security of our servers, then explain the software security of the network our servers run on, and finally detail the privacy and security features of the Heavenly Organised application itself. At the end of this post, you’ll also find some tips on how to keep your Heavenly Organised account safe.
Our infrastructure is hosted by Amazon in the EU and we use Amazon Web Services (AWS) technology. Amazon continuously assesses and manages risk and has recurring evaluations to ensure security compliance with industry standards. Among other things, Amazon’s data centres have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
Amazon has many years of experience designing, building and managing large-scale data centres. You can learn more about the security of our infrastructure at Amazon’s Security site.
Network and software security
All our applications are deployed behind firewalls to restrict access from external networks, and between systems internally. By default, all access is denied and only explicitly defined ports and protocols are allowed based on business need.
All the communication between your browser and our site is through SSL, and we require all cookies and tokens to be sent via HTTPS.
Our managed firewalls prevent IP, MAC, and ARP spoofing on the network. Packet sniffing is prevented by the infrastructure we run our services on. The Heavenly Organised site is deployed on infrastructure that utilizes application isolation, operating system restrictions, and encrypted connections to further ensure risk is mitigated at all levels.
The Heavenly Organised application’s privacy and security features
Our application’s data is stored in a separate access-controlled database. All connections to our database require SSL encryption to ensure a high level of security and privacy.
Our databases are all encrypted at rest (this means the whole database is encrypted) using AES-256 block level encryption. Additionally, all sensitive information that you input to Heavenly Organised is also encrypted before being saved (this means the database stores unreadable information) using Fernet symmetric authenticated cryptography.
Because of these measures, nobody at Heavenly Organised is able to read your sensitive information during normal operations.
Two-Factor Authentication (2FA)
We use two-factor authentication to provide an enhanced level of security for user’s accounts. Two-factor authentication is where in addition to your username and password, you must provide another form of verification. There are generally 4 two-factor authentication types:
- SMS based
- Authenticator/TOTP (Time-Based One Time) based
- Push based
- FIDO/Security key based
SMS based 2FA is generally not considered a secure method since there are several ways to bypass it. At Heavenly Organised, we give you the option, and strongly encourage you to, enable two-factor authentication. You can do that in the Settings section once you’re logged in.
How to keep your account safe
Although we take every precaution to keep your data safe, you also play an incredibly important part in keeping your account safe and your information secure. Here are a few steps you can take to make sure your account is as safe as possible:
- Use a strong password, or, even better, use a password manager like 1Password.
- Don’t reuse your password from other sites.
- Don’t share your account details with anyone.
- Enable 2-factor authentication on your Heavenly Organised account.
Deleting your data
The data you store in Heavenly Organised belongs to you. If at any point you want to delete your account, all data associated with your account is also deleted immediately and irreversably.
If you are a security researcher and have found an issue with Heavenly Organised, please consider using responsible disclosure. We’re a super-small couple-in-lockdown business, but we’ll be happy to reward your efforts in helping us keep Heavenly Organised safe and private.
Do you have any comments on security, or want to learn more about how we store your data? Tweet us!