Security Details

All HTTP traffic is sent encrypted via TLS 1.2
Data at rest can be stored in a number of places:
  • Uploaded content may persist to server disk temporarily and is encrypted at rest
  • Data stored in our Postgres database is also encrypted at rest
Accounts are managed by account administrators, allowing them access to delegate access to new user accounts. Access to manufacturer resources is determined by manufacturers during the data sync on a per-domain basis. Accounts are limited to the domain assigned to the account.

Password Recommendations NIST 800-63
Password Guidelines are followed and exceeded, including:

  • 8 character minimum
  • >64 characters maximum – Using 128 limit, may be increased in the future
  • All ASCII Characters – Using full UTF-8 support
  • No password truncation
  • Allow at least 10 password retries before lockout
  • No complexity requirements
  • No password expiration period
  • No password hints
  • No knowledge-based authentication
  • No SMS for 2FA

 

Password Storage

Passwords are stored using PBKDF2 with HMAC-SHA256, 128-bit salt, 256-bit subkey, 10000 iterations by default.

Manufacturers only have access to update their own data, access to customers is delegated by the manufacturers using our API.
Regular Patching Operating system patches are applied regularly, high-risk security patches are applied as soon as possible, usually same day. Application patches are checked with every minor revision.

Session
Sessions are stored as HTTPS-Only cookies, preventing them from being tampered by any possible 3rd party code.


Client Application
The client application is written using a framework with built-in protection against things such as cross-site scripting (XSS), all payloads are treated as plaintext by default and can only be executed if a developer explicitly tries to enable it. By design this is to be avoided, and any future requirements for this behavior will rely on server-side XSS sanitation.

Ask Us Anything. anytime.

Lorem ipsum dolor sit amet, constur ading elit. Nulla sit amet molestie nibh, vel suscipit felis.