Our data center resides at Amazon AWS, a world class provider of cloud-computing services. With the AWS ISO 27001 certification, AWS complies with a broad, comprehensive security standard and follows best practices in maintaining a secure environment. AWS maintains SOC3 compliance relating to the security and availability of their services.
Our application architecture is designed to logically separate all data and systems. We employ robust, redundant data storage in order to offer high data durability. We utilize redundant, load balanced systems in order to achieve services with high availability. Our applications securely transmit all sensitive information over HTTPS utilizing modern SSL certificates from well-known and trusted certificate authorities. All customer data is stored within secure databases which are only accessible internally to our systems. Sensitive data such as first and last names, email addresses and dates of birth are secured in transit across the internet. Contact date of birth is the only personally identifiable information (PII) we store. Our intention is to further secure contact date of birth at rest in the near future.
Our technology team employs security audits and risk assessments at monthly intervals, focusing on data center security, applications security, and various security controls around related staff and processes according to industry best practices. We employ AWS recommended practices, including the configuration of our network within their environment, logging and monitoring compliance on all data center activity, and access controls across all services. We employ a strict password policy and multi-factor authentication for all credentials which have access to sensitive data and critical systems. Our team partners with a third party security firm, Compass IT, for annual penetration testing against our data center infrastructure and our applications.