Terms, Privacy and Procedures

We're committed to keeping your data secure, your private information private, and being transparent about our practices as a business.

Sembark's Security Details

Introduction

As an online web application, we recognize the importance of excellent security practices. While we are a small team, we work hard to punch above our weight on security.

This document covers our security practices and policies. If you are interested in the data we collect and store, please see our privacy policy.

General practices

  • Access to servers, source code, and third-party tools are secured with two-factor auth.
  • We use strong, randomly-generated passwords that are never re-used.
  • Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data.
  • We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
  • We don't copy production data to external devices (like personal laptops).

Access control and organizational security

Personnel

Our employees and contractors sign an NDA before gaining access to sensitive information.

Penetration testing

We have yet to perform penetration testing but we have not been notified regarding any security vulnerabilities since our launch in 2020. In addition, we welcome reports from security researchers at support@sembark.com.

Authentication

At sign-up, each customer is given an invite link to share with their team. Each team member can use that link to set up a new account with their email and password. User passwords are hashed using bcrypt before being stored.

User login are protected against CSRF and we use session based authentication for our application. When a user logs in, they are given a 20-byte authentication token, generated by Laravel Sanctum. The token is invalidated after 1 days of generation.

All further interaction with the API is done by providing cookie with this token.

Encryption

All communication between the Sembark client and our backend is encrypted with TLS 1.2. Our backend server is managed by AWS and we use Let's Encrypt for Automated Certificate Management. User data is stored in AWS RDS and details of their implementation can be found here.

Metadata about app usage and pairing sessions are stored in Google Analytics using their API. Details of their security processes can be found in their marketing platform's terms

Data flows

All personal data flow happens from Sembark Client to our backend using APIs over TLS.

Data retention/logging

Logs are stored along side to our backend infrastructure.

These logs are retained for 30 days, after which they are permanently deleted.

Software development practices

  • Code written by any developer is signed off by at least one other person before committing.
  • Code is tested in a staging environment against a QA checklist and with automated and manual testing before deploying to production.

Vulnerability detection

Both the client and our backend are regularly scanned for dependencies with known security vulnerabilities.

Vulnerable dependencies are patched and redeployed rapidly.

Hosting

Our backend server is hosted on Amazon Web Services.

Amazon's data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

FAQs

What user data do you collect?

We're not in the business of making money off of data. We do collect information about how users are interacting with our app so we can improve the product and provide faster, more effective support when issues arise. These events include:

  • Sign-In and Sign-Out events
  • Interaction with features of the app
  • Crashes and other errors
  • Changes in network availability status
  • Changes in connectivity state with our backend server

In addition, the following metadata is collected by Google Analytics:

  • The version of the Sembark being used
  • The user's operating system version
  • The user's display dimensions

Users are identified in our system by their email address and are asked to provide a name. We don't attempt to collect any demographic information, and don't log IP addresses on incoming connections.

How do I report a potential vulnerability or security concern?

Please email us at support@sembark.com, which will notify us very loudly and we'll get back to you ASAP.

Are you SOC 2 or ISO 27001 certified?

While we'd eventually love to achieve these certifications, we don't hold them at this time.

Any further questions?

Great! Please email us and we'll happily update this doc


Questions about the Terms, Privacy and Procedures should be sent to

Contact Us

Please feel free to contact us for your queries.

Office Address

Sembark Tech. Pvt. Ltd

1192/1, 22nd Cross, 24th main, HSR Layou, Near Akshardham Temple
Bengaluru, Karnataka, India - 560102