We take security very seriously. It's our business to keep your business online. Security is a crucial part of this. However, this is not only about what we do. It's also about you. Since — we are in it together!
You are liable for the code you write and the use of our API and keys. Please consider the following best practices:
Don't expose API secrets
Best practice for security and portability is to store API secrets as ENV vars (as long as they are not exposed as well).
Use safe passwords
The password to login into the Pelcro Dashboard is a master password. Use a password manager or a pass-phrase. Don't share your Account password, use collaboration features instead.
Secure your code
Make sure to follow common security guidelines. It's good practice to perform a security check against the most common attack vectors before going live. Also mind the OWASP Cheat Sheets to negate attacks before they can start.
Pelcro's platform allows our clients to be GDPR compliant by ensuring our platform can support all compliance rules. Our clients can download from our platform all customer data available on the platform, and also edit or delete it. Our role in GDPR is a data processor while our client's roles are data collectors.
You can export user data, stored in the Pelcro platform, either manually or programmatically. Raw data from Pelcro can be exported in JSON format (which is machine-readable).
There are several Pelcro features than can help you meet GDPR requirements, like user profile encryption, brute-force protection, breached password detection, step-up authentication, and more.
Pelcro is currently working to ensure our clients can be compliant to CCPA while using our platform. Pelcro will work with all participating parties to ensure our platform is compliant by enforcement schedule.
Pelcro's physical infrastructure is hosted and managed within Amazon’s secure data centers on Amazon Web Service (AWS) technology. These data centers are certified under a number of security standards, including: ISO 27001 SOC 1 and SOC 2/SSAE 16/ISAE 3402 PCI Level 1 FISMA Moderate Sarbanes-Oxley (SOX) AWS enforces a high level of physical security to safeguard their data center with military grade perimeter controls and security staff at all points of ingress. As for environmental protection, AWS has sophisticated fire detection and suppression equipment, fully redundant power infrastructure with integrated UPS units and high-end climate control systems to guarantee an optimal working environment for the hardware. For a more in-depth view, we refer you to the AWS Security Center.
Disaster recovery and backups
Pelcro takes disaster recovery seriously and automates backup creation to reduce data loss risk. Automatic off-site encrypted backups of code, data, and configurations are created on a daily basis. Backups are monitored and confirmations of their creation are sent by email every day. Backups include all required data, code and structure to re-create a production environment within a matter of hours.
Below is the backup retention schedule:
- Retain daily backups for 30 days
- Retain weekly backups for 8 weeks
- Retain monthly backups for 4 months
- Retain yearly backups for 10 years
All employees are trained in safety aspects and best security practices, including how to identify social engineering, phishing scams, and hackers. All employees undergo criminal history and credit background checks prior to employment. All employees agree to privacy safeguard policies outlining their responsibility in protecting client data. Binding internal security policies that are evaluated on a regular basis are in place. It is regularly checked whether all responsibilities have been clearly assigned and that they are practicable. There are documented rules and contingency plans. The computer systems of employees are secured by encrypted file systems and password authentication.
Credit card security
A PCI Level 1 compliant provider for processing credit card payments is used. Security policy reviews are executed on a regular basis. Pelcro uses Stripe Elements to collect credit card information by default. This makes our clients eligible to the simplest method of PCI Compiance (AoC). This is possible because Checkout and Elements host all form inputs containing card data within an iframe served from Stripe’s domain—not yours—so your customers’ card information never touches your servers our ours.
All sensible access data is stored "hashed + salted". BCrypt encryption is used. Bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999. Bcrypt is a cross platform file encryption utility. Encrypted files are portable across all supported operating systems and processors.
Secure Agile Development
Pelcro follows a secure agile development methodology to ensure security is at the center of its development process. That is achieved by incorporating security user stories in all our features, making developers responsible for secure development, developing unit tests with security in mind, conducting quality assurance with a hacker hat on. On top of all, we ensure we have a security culture across the organization.
Pelcro follows a bi-weekly release schedule for major, minor and patch updates and uses the Semantic Versioning 2.00 for all code releases. GitFlow is the primary workflow used by developers across the organization.
Third party security testing is performed by independent security researchers at irregular intervals on our hosting servers. Findings from each vulnerability assessment are reviewed with the assessors, risk ranked and resolved swiftly.
On the outside, network firewalling and hardened TCP/IP stacks to mitigate resource exhaustion attempts are utilized. Sniffing and spoofing attacks are prevented through the underlying infrastructure.
User and system activity is monitored for signs of abuse — by algorithms and humans.
All subcontractors are tested for privacy and security suitability. There are appropriate terms in place.