Security
Security
We've built EasyAnnounce to be secure using the latest practices and technology.
The English-language version of this page is the definitive version of our security practices. Any translated versions are provided for informational purposes only.
Introduction
The statements on this page describe our security posture and aim to show that we take security seriously.
Expectations
We aim to meet your expectations around security requirements. However, if you have greater needs then please reach out to discuss potential time-lines or amendments.
Responsible Vulnerability Disclosures
We welcome and appreciate professionals disclosing any platform vulnerabilities, however there is no bug bounty program running. We will aim to resolve issues found and if published then we will give you credit.
All requests between your web browser or application, our website, our API gateway, worker servers, and trusted third-party providers are encrypted in transit via HTTPS using strong ciphers (AES-256) and certificate signatures (RSA or ECDSA) with SHA-256 or stronger. We support only TLS1.2+ connections.
Our private CDNs & our databases are all encrypted in transit and at rest, they are SOC2 Type 2 & HIPAA compliant. We do not store any of your customer names or details that are part of those announcement requests beyond the lifecycle of that announcement or name lookup.
The database we use for our webapp utilizes Row Level Security (RLS) to help meet any Enterprise requirements you may have for separation of data. Organizational IDs are always hashed first before any use outside of this database (e.g. for quota enforcement and API gateway management).
Our frontend and backend services are both protected by dedicated Web Application Firewalls with only essential access provisioned and rules to limit disruption by bots & DDoS attacks
We use Stripe to process your payments and manage your subscriptions. We do not store or process any of your payment card data. We are a merchant in the PCI DSS SAQ A category.
To meet our expected PCI-DSS (SAQ-A) merchant obligations, we carry out quarterly scanning of our front-end website. We aim to resolve any issues found within 48 hours.
We regularly check for and apply for critical software updates to our backend API servers and website, non critical patching happens with normal development and performance updates.
We monitor for any CVEs affecting our software's code on our API platform and front-end, and aim to action critical (CVE >9.0) fixes within 48 hours of being made aware.
All of our control systems require MFA and a unique account per team member to access.
We have selected our third party suppliers on the basis of location and compliance. Our providers (database, data centres and text-to-speech generation providers) are all SOC 2 Type 2 compliant, GDPR, and HIPAA compliant
Our databases are currently located in Canada & the EU to help meet GDPR requirements you may have. Our infrastructure servers and webserver providers are both listed and active on the EU-US Data Privacy Framework.
We are a new startup and we hope you can see we're building our service to be as robust and secure as possible. This way we can scale easily and should be able to meet customer & compliance expectations. We aim to be SOC2 Type 1 audited shortly - we welcome security questionnaires so we can answer your questions in more detail. Reach out via the contact page.
Contact Information
For more information or compliance requests please contact us via our contact page.