Optery's Statement on Data Security
This page explains how we secure and protect our registered users’ and paying customers’ data.
Last Updated: July 19, 2021
We utilize a number of technical, organizational and physical strategies and tactics to secure your personal information. We employ experienced, professional engineers dedicated to the healthy function of our systems and protecting your information. Securing our customers’ data is a continuous priority for our company and is considered seriously in every decision we make.
World-class Infrastructure Hosted in the United States
Optery products run on world-class infrastructure in separate access-controlled environments provided by Amazon Web Service (AWS). AWS provides state of the art security for its platforms and facilities. Amazon complies with the latest industry security standards and has received multiple certifications and reports, including ISO 27001/27017/27018 and AICPA SOC 1, SOC 2, and SOC 3 (SSAE 16/ISAE 3402). For more information on Amazon’s security credentials, please visit aws.amazon.com/security and aws.amazon.com/compliance/soc-faqs/
All user data in transit, including usernames and passwords, is encrypted using Transport Layer Security (TLS) v1.2 protocol (i.e. HTTPS / SSL) to prevent interception of your data.
All data at rest is encrypted using encrypted database instances at Amazon using the industry standard AWS RDS with Advanced Encryption Standard (AES) 256-bit encryption algorithm. Encryption keys and encrypted data are stored separately using AWS’ Key Management System (KMS). We encrypt user account passwords using the PBKDF2 algorithm with a SHA256 hash.
User Authentication and Passwords
When creating and updating accounts, users are not permitted to save weak or obvious passwords. User account passwords must be a minimum of eight characters long, and contain at least one number, symbol, and uppercase and lowercase character.
Multi-factor Authentication (MFA) / 2-Step Verification (2FA)
Optery supports Multi-factor Authentication (MFA) / 2-Step Verification (2FA) for all accounts for an additional layer security. MFA / 2FA is highly recommend, but not required.
Adding MFA / 2FA helps prevent your account from being compromised at login from someone that has guessed or stolen your password. In order to enable MFA / 2FA, you first need to install on your mobile device an authenticator application such as Google Authenticator, Authy, or any other compatible authenticator app. The authenticator app will generate a new six digit Time-Based One-Time Passcodes (TOTP) every 30 seconds. This passcode, which is also sometimes referred to as a “token”, will be used when you login as an additional verification that you are true owner of the account, and not an intruder.
Optery minimizes the number of individuals that have access to user data and critical systems necessary to do their jobs using the “least privilege” principle. For those that do have access, we secure access using strong passwords and two-factor authentication (2FA) whenever possible. When employees and contractors are terminated from the company, their data and systems access privileges are revoked immediately.
Applications and System Security
Our applications and systems are kept up-to-date to ensure they are and patched with the latest security updates. Critical applications and systems passwords are only issued to a few individuals in the company.
Employee and Contractor Confidentiality Agreements
Prior to the start of employment or services, Optery requires all employees and contractors to sign confidentiality and non-disclosure agreements preventing the employees and contractors from storing or distributing user information outside the scope of their responsibilities for the company.
We utilize some of the best third party vendors in the world who share our commitment to protecting user data.
Amplitude is used for product analytics. We do not explicitly store personal information in Amplitude. For more information on Amplitude’s stance on security and privacy: amplitude.com/amplitude-security-and-privacy
Crisp provides our help desk and live chat support software. Providing personal information through our support channels results in personal information being stored in Crisp. For more information on Crisp’s stance on data security: help.crisp.chat/en/article/how-is-security-managed-on-crisp-services-1p8p1lm/
Customer.io is used for email marketing and marketing automation. Personal information such as email address and name are used to send account information and notifications through Customer.io. For more information on Customer.io’s stance on data security: customer.io/legal/security/
Google Marketing Platform products such as Google Analytics, Google Tag Manager, and Google Optimize are used for product analytics, tag management, and user experience optimization. We do not explicitly store personal information in Google Marketing Platform. For more information on Google’s stance on data protection: privacy.google.com/businesses/compliance/
Hotjar is used for product analytics. We do not explicitly store personal information in Hotjar. For more information on Hotjar’s stance on privacy and data security: help.hotjar.com/hc/en-us/categories/360003405813
Stripe processes payments for Optery such as credit card transactions. Payment details such as credit card number, expiration date, and CVC code are never made accessible to Optery. For more information on Stripe’s stance on data security: stripe.com/docs/security
SendGrid is used to send emails. Personal information such as email address and name are used to send account information and notifications through SendGrid. For more information on SendGrid’s stance on data security: sendgrid.com/policies/security/
Reporting Security Concerns
If you believe you’ve found a potential user data security vulnerability with Optery, or if you believe we have not honored this statement, please Contact Us providing as much information as possible and we will review and act on your inquiry carefully and as necessary.