This overview is intended to give you a high level overview of our security posture. If you have any questions or concerns, please contact us.
On the Application side, it uses the latest versions of the programming language and framework available. We have a fully automated continuous integration and continuous deployment pipeline which is the only way to get changes to production.
Our applications' internal dependencies are checked daily automatically by Dependabot (A Github Product) to ensure that any feature or security updates are applied as soon as they are available. Those changes all go through the pipeline mentioned above to ensure quality and security via our extensive unit/integration test suite.
As for sensitive data, every user's password is stored using the industry standard of a one way cryptographic hash (currently BCrypt) to ensure even we can't see the password after it is saved. Password resets and initial setup are done via email confirmation, with links to set a password. When these occur emails go to the account holder notifying of the change.
Two-Factor Authentication is available to every user by default.
Sensitive Credit Card data never hits our servers and is stored by our payment processor (Stripe) only.
DNS provider credentials are encrypted at rest using a AES-256 with a key that has never been stored in our codebase. Those records are only decrypted in memory when our background workers are utilizing them for API calls.
All admin accounts use strong passwords managed by a password manager, and require two-factor authentication using TOTP to be enabled. Additionally, every user of the application gets an email whenever a new login occurs for their account, or if a failed login attempt occurs on their account.
Our infrastructure is split between two major cloud providers, Amazon Web Services (AWS) and Hetzner. All infrastructure accounts use strong passwords and two-factor authentication as well.
Our servers require strong SSH keys to login. All unnecessary ports are closed (besides HTTP/HTTPS). All internal traffic is done on a private network between servers which is firewalled by our cloud providers and by our own servers with a whitelist of allowed hosts.
All servers also have security updates set to install automatically every night.
All traffic to our application is done over HTTPS/TLS. We implement the latest SSL protocols and algorithms with an A+ implementation rating from SSL Labs. We also implement strict HTTP security headers to prevent the most common attacks such session hijacking or javascript injection.
CloudFlare sits in front of our application acting as both a CDN and as a Web Application Firewall to help prevent maliciously crafted requests and bots.
Application and Database backups are performed multiple times per day and stored encrypted and offsite.
We take security very seriously at ZoneWatcher. If you believe you have found a vulnerability in our application or infrastructure, please email us at support@zonewatcher.com and we will respond as soon as possible.
You may view our security.txt file here to find more contact information & PGP Key.
Get occasional updates about new features, integrations, and future plans to your inbox.
We will send a confirmation opt-in email to your inbox. Privacy Policy.