Â鶹´å

Physical Access Control

Â鶹´å collects limited personal information from users, including name, email address, and password. Â鶹´å also complies with applicable data protection laws like CCPA. More information is available in our privacy policy.

Render

Render is a Platform as a Service provider. Â鶹´å uses Render’s services in its Oregon, US datacenter.

Render is independently audited for SOC 2 compliant. All sensitive Â鶹´å data stored on Render is encrypted at rest.

Amazon Web Services (AWS)

AWS is the leading cloud provider used by enterprises and governments worldwide. Â鶹´å uses AWS’ services in its US datacenters. By using AWS, Â鶹´å inherits all the security and compliance features built by AWS and dependent upon the world’s biggest companies, including most of the world’s leading financial institutions.

Logical Access Control

AWS is the leading cloud provider used by enterprises and governments worldwide. Â鶹´å uses AWS’ services in its US datacenters. All Â鶹´å employees use designated accounts to access our infrastructure. Employees are not allowed to share access credentials. All access is further protected behind two-factor authentication. All private keys are stored with strong encryption. Access controls are monitored automatically every day and manually quarterly. By using AWS, Â鶹´å inherits all the security and compliance features built by AWS and dependent upon the world’s biggest companies, including most of the world’s leading financial institutions.

Penetration Testing

Â鶹´å employs annual penetration testing by an independent third-party. The third-party engages with the production instances of Â鶹´å service and are under contract.

Any findings from the penetration testing are investigated by Â鶹´å’s security team and prioritized accordingly. Penetration testing schedule is monitored automatically.

Third-Party Audits

Both Render and AWS are rigorously audited by third-parties. Both Render and AWS boast SOC 2 Type 2 compliance as well as ISO 270001 certification.

Â鶹´å undergoes SOC 2 compliance audits and has obtained our SOC 2 Type II report.

Intrusion Prevention and Detection

Â鶹´å aims to make unauthorized intrusion as hard as possible. All Â鶹´å compute instances both on AWS and Render run in their own virtual private networks. No Â鶹´å compute instance allows SSH access and all compute instances on AWS uses a Serverless infrastructure, meaning all instances are ephemeral and automatically killed when their task is complete or they reach their age-limit, currently set to 24 hours.

Furthermore, Â鶹´å uses AWS’s CloudTrail technology to monitor access to its services and Cloudtrail logs are further automatically monitored daily for unauthorized access.

Provisioning

Â鶹´å is over-provisioned, meaning all non-transient services like compute instances and databases have a lot of extra capacity in case of a demand spike. Our compute platform on Render is automatically spread across different availability zones and our platform on AWS is automatically horizontally scalable via Amazon’s Serverless stack.

Business Continuity Planning (BCP)

All customer data is uploaded to AWS’ S3 service. Â鶹´å uses versioned controlled S3 buckets with 99.99% availability. All data that is stored on Render is backed up daily. Â鶹´å also runs annual business continuity recovery exercises and their schedule is monitored automatically.

Disaster Recovery

All Â鶹´å data is uploaded to AWS’ S3 service and all Â鶹´å buckets are versioned controlled with no public access permissions. In the unlikely case of a disaster, Â鶹´å is able to recover the original data from S3 buckets.

Data Encryption

All customer data uploaded to Â鶹´å is encrypted at transit and at rest. Customer data uploads from the browser happen over HTTPS via transport layer security (TLS) encrypted connections and the data is stored on versioned AWS S3 buckets that are server-side encrypted. The settings on these buckets are monitored daily automatically.

Application data that is stored on Render databases are also stored with encryption at rest. Â鶹´å never stores your password in cleartext.

All Â鶹´å web traffic happens over HTTPS and certificates are managed automatically via Render and Cloudflare. Â鶹´å’s HTTPS settings are monitored automatically.

Data Access

Â鶹´å employees might access customer data only for documented reasons and for limited amount of time. All access happens via individual accounts tied to each employee and is logged for potential audits. Â鶹´å employees can store data on their systems for technical troubleshooting or customer support only for limited amount of time and only if their systems are end-to-end encrypted. Â鶹´å employees’ personal devices used for such access is monitored hourly automatically.

Google Sign-in

Â鶹´å allows users to sign-in via Google in lieu of a password. Signing in via Google allows users to benefit from Google’s world-class authentication safety features such as multi-factor authentication, passkey authentication and federated logins. Many Â鶹´å users integrate their federated login systems with Google, allowing them to have a Single Sign-On provider via Google.

Personal Access Tokens

Â鶹´å allows users to create personal access tokens (PAT) to access Â鶹´å resources programmatically via application programming interfaces (API)s. PATs are stored with encryption on Â鶹´å databases and are exposed in cleartext only during creation. They are never logged. Users can revoke their PATs any time, or create multiple ones for various use-cases.

Email Security

Â鶹´å uses a strong domain-based message authentication, reporting, and conformance (DMARC) setup for its email. This makes spoofing (pretending to be Â鶹´å) or phishing scams much harder to employ. Â鶹´å’s DMARC settings are monitored automatically daily. For all domain name service setups, including DMARC, Â鶹´å uses AWS’ Route 53 service, inheriting the security and audit capabilities of AWS services.

Continuous Delivery (CD)

Â鶹´å uses a continuous delivery methodology to deliver its software, meaning every single code change is delivered quickly to production. This allows quick resolution of customer issues, including security patches.

Continuous Integration (CI)

Â鶹´å uses a continuous integration methodology to develop its software, meaning all code is continuously tested at each step of the progress. These tests include static analysis of our code against vulnerabilities, introduction of unexpected dependencies against supply-chain attacks, as well as unit and integration tests against bugs that might impact users and their security.

Version Control

All Â鶹´å code is version controlled. Code changes must be requested via cryptographically verified methods and all code change must be approved by another person before it can be delivered to production via the CI/CD pipeline.

Malware Protection

All Â鶹´å provided computers are registered to our Mobile Device Management (MDM) software. This MDM ensures that the workstations has correctly configured password managers, automatic updates, antivirus software, full disk encryption, and screensaver lock. These settings are checked for every single employee’s workstation every day.

Contingency Planning

Â鶹´å runs regular business continuity and disaster recovery tabletop scenarios to plan for unforeseen events. These events include but are not limited to loss of key personnel, degradation of key infrastructure, and operational force majeur events. The remediations for these possible events are discussed annually.

Policies

Â鶹´å maintains a wide array of policies regarding security. These policies are reviewed and updated annually where necessary.

• Acceptable Use Policy
• Asset Management Policy
• Backup Policy
• Business Continuity Plan
• Code of Conduct
• Controls Assessment Program
• Data Classification Policy
• Data Classification, Handling, and Retention
• Data Protection Policy
• Disaster Recovery Plan
• Encryption Policy
• Incident Management Policy
• Incident Response Plan
• Information Security Policy
• Password Policy
• Physical Security Policy
• Responsible Disclosure Policy
• Risk Assessment Policy
• Software Development Lifecycle Policy
• System Access Control Policy
• Vendor Management Policy
• Vulnerability Management Policy

Background Checks

Â鶹´å runs a background check for all new hires globally. This check contains information such as:

• Enhanced Identity Verification
• US Criminal Record Check
• National Sex Offender Registry Scan
• Security Watchlist Scan
• Fraud Scan
• OFAC Global Sanctions Scan
• Criminal Record Scan
• Federal Record Scan
• Single State County Record Scan
• All State County Record Scan

Security Training

All Â鶹´å employees are required to go through annual security training, as well as be presented with the policies. Acceptance of these policies and completion of security training is monitored automatically before employees can access any internal systems that include customer data.

Disclosure Policy

Â鶹´å aims to notify customers of any data breaches as soon as possible via email and has documented policies. Known incidents are reported on our Twitter feed (twitter.com/felt) where users can see updates.

Security researchers are encouraged to reach out to Â鶹´å’s security team at security@felt.com via a working proof of concept. Â鶹´å does not have a bounty bug program, and encourage researches to responsibly disclose issues.

Â鶹´å has received the following compliances:
SOC 2 Type II

Interested parties can reach out to support@felt.com to request a copy of our SOC 2 Type II report.

Data Privacy Addendum

Â鶹´å works with many educational institutions with their unique needs such as Family Educational Rights and Privacy Act (FERPA) and Childen’s Online Privacy Protection Rule (COPPA) requirements. Â鶹´å maintains a robust Data Protection Addendum (DPA). Interested parties can reach out to support@felt.com to request our DPA.