Introduction
At HumongouS.io, we take security very seriously.
This page is an overview of the steps we take to ensure that your data is safe and secure at all time.
This is a living document and we will continue to update it as we make new security improvements to our products and update existing ones.
Storage and Infrastructure Security
All HumongouS.io production servers run on recent and continuously patched Linux systems.
All sensitive persistent data is encrypted at rest using AES-128 or similarly high standards.
All users data, APIs and services are hosted, processed and stored on AWS.
AWS is currently the largest cloud hosting provider, meeting security requirements for the most security-sensitive organizations and has undergone multiple certifications that attest to its ability to secure HumongouS.io data.
You can read more about AWS’s security
here.AWS security capabilities we currently leverage are :
- Frequent automatic pen-testing of its infrastructure. Reports to be found here.
- Identity and access control using IAM, Directory Service and Multi Factor Auth.
- Monitoring and Logging of all instances activities.
- DDoS mitigation.
- Data encryption on all services we use.
All HumongouS.io data resides in data centers located in the United States.
Network Security
HumongouS.io uses industry standard encryption to protect your data in transit and within our data centers.
HumongouS.io web servers use HTTPS (TLS 1.2) to prevent eavesdropping and man-in-the-middle attacks and our SSL certificates are 2048 bit RSA, signed with SHA256.
We also use a combination of AWS VPCs, App Load balancers and Security Groups to expose only a set of limited resources to the internet.
We plan to continue improving our transport security posture to support our commitment to protecting your data.
Operational Security
We follow a number of practices in our day to day operations to ensure that we do not accidentally compromise our users data or our systems.
- Code source that will be pushed to production is subject to a number of security pre-commits as well as code reviews by qualified engineers.
- We have a staging environment that mirrors production. Every production release goes through the staging pipeline first to minimize the probability of an issue falling through the review process cracks.
- On top of the staging environment, we use rolling deployment with a tight monitoring as a way to catch issues before they are available globally.
- Access to our production infrastructure is solely based on business need and is strongly logged and made auditable.
- We log events and user interactions on the server side. This includes web server access logging, as well as activity logging for actions taken on the client side.
Application Security
HumongouS.io stores your password using PBKDF2 (Password Based Key Derivation Function 2). We select the number of hashing iterations in a way that strikes a balance between user experience and password cracking complexity.
In case of a password change or account deactivation, all authorization tokens are immediately invalidated.
We also limit failed login attempts on both a per-account and per-IP-address basis to slow down password guessing attacks.
Below is a non exhaustive list of application level security precautions we take in order to prevent known and most common attacks :
- The use of iframes is very limited and code change in area requiring them are carefully reviewed.
- Protection is taken across all of our web clients to prevent XSS, CSRF attacks.
- We only use signed and secure cookies. We use httpOnly cookies whenever possible.
- All API endpoints accessing users data require authentication and authorization. Both authentication and authorization are done on a per-request basis.
- Most endpoints are subject to payload size restriction and request rate limits.
- All requests are logged and made searchable to our operation teams.
Payment Security
We use Stripe for payment processing and do not store any credit card information. Stripe is a trusted, Level 1 PCI Service Provider.
Learn more.Resiliency / Availability
We operate a fault tolerant architecture to ensure our services are available when you need them. Thanks to our Cloud partner, we are able to provide :
- Redundant application load balancers
- Redundant servers and virtual instances
- Redundant underlying storage
- Redundant database replicas
AWS also provides fault tolerant facility services including: power, HVAC, and fire suppression.
We provide live and historical status updates on our service availability at
humongous.io/statusPrivacy and Compliance
Responsible disclosure of security vulnerabilities
We want to keep HumongouS.io apps safe for everyone. If you've discovered a security vulnerability, we appreciate your help in disclosing it to us in a responsible manner.
Publicly disclosing a vulnerability can put HumongouS.io at risk. If you've discovered a security concern, please email us at security<at>humongous.io
Email received at security<at>humongous.io are of the highest priority. We'll work with you to make sure your security concern is addressed appropriately and in a timely manner.