Sembark's Security Details
Introduction
As an online web application, we recognize the importance of excellent security practices. While we are a small team, we work hard to punch above our weight on security.
This document covers our security practices and policies. If you are interested in the data we collect and store, please see our privacy policy.
General practices
- Access to servers, source code, and third-party tools are secured with two-factor auth.
- We use strong, randomly-generated passwords that are never re-used.
- Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data.
- We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
- We don't copy production data to external devices (like personal laptops).
Access control and organizational security
Personnel
Our employees and contractors sign an NDA before gaining access to sensitive information.
Penetration testing
We have yet to perform penetration testing but we have not been notified regarding any security vulnerabilities since our launch in 2020. In addition, we welcome reports from security researchers at support@sembark.com.
Authentication
At sign-up, each customer is given an invite link to share with their team. Each team member can use that link to set up a new account with their email and password. User passwords are hashed using bcrypt before being stored.
User login are protected against CSRF and we use session based authentication for our application. When a user logs in, they are given a 20-byte authentication token, generated by Laravel Sanctum. The token is invalidated after 1 days of generation.
All further interaction with the API is done by providing cookie with this token.
Encryption
All communication between the Sembark client and our backend is encrypted with TLS 1.2. Our backend server is managed by AWS and we use Let's Encrypt for Automated Certificate Management. User data is stored in AWS RDS and details of their implementation can be found here.
Metadata about app usage and pairing sessions are stored in Google Analytics using their API. Details of their security processes can be found in their marketing platform's terms
Data flows
All personal data flow happens from Sembark Client to our backend using APIs over TLS.
Data retention/logging
Logs are stored along side to our backend infrastructure.
These logs are retained for 30 days, after which they are permanently deleted.
Software development practices
- Code written by any developer is signed off by at least one other person before committing.
- Code is tested in a staging environment against a QA checklist and with automated and manual testing before deploying to production.
Vulnerability detection
Both the client and our backend are regularly scanned for dependencies with known security vulnerabilities.
Vulnerable dependencies are patched and redeployed rapidly.
Hosting
Our backend server is hosted on Amazon Web Services.
Amazon's data center operations have been accredited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
- Sarbanes-Oxley (SOX)
FAQs
What user data do you collect?
We're not in the business of making money off of data. We do collect information about how users are interacting with our app so we can improve the product and provide faster, more effective support when issues arise. These events include:
- Sign-In and Sign-Out events
- Interaction with features of the app
- Crashes and other errors
- Changes in network availability status
- Changes in connectivity state with our backend server
In addition, the following metadata is collected by Google Analytics:
- The version of the Sembark being used
- The user's operating system version
- The user's display dimensions
Users are identified in our system by their email address and are asked to provide a name. We don't attempt to collect any demographic information, and don't log IP addresses on incoming connections.
How do I report a potential vulnerability or security concern?
Please email us at support@sembark.com, which will notify us very loudly and we'll get back to you ASAP.
Are you SOC 2 or ISO 27001 certified?
While we'd eventually love to achieve these certifications, we don't hold them at this time.
Any further questions?
Great! Please email us and we'll happily update this doc
Questions about the Terms, Privacy and Procedures should be sent to support@sembark.com