We take security very seriously. It's our business to keep your business online. Security is a crucial part of this. However, this is not only about what we do. It's also about you. Since — we are in it together!
You are liable for the code you write and the use of our API and keys. Please consider the following best practices:
Don't expose API secrets
Best practice for security and portability is to store API secrets as ENV vars (as long as they are not exposed as well).
Use safe passwords
The password to login into the Pelcro Dashboard is a master password. Use a password manager or a pass-phrase. Don't share your Account password, use collaboration features instead.
Secure your code
Make sure to follow common security guidelines. It's good practice to perform a security check against the most common attack vectors before going live. Also mind the OWASP Cheat Sheets to negate attacks before they can start.
Pelcro's physical infrastructure is hosted and managed within Amazon’s secure data centers on Amazon Web Service (AWS) technology. These data centers are certified under a number of security standards, including: ISO 27001 SOC 1 and SOC 2/SSAE 16/ISAE 3402 PCI Level 1 FISMA Moderate Sarbanes-Oxley (SOX) AWS enforces a high level of physical security to safeguard their data center with military grade perimeter controls and security staff at all points of ingress. As for environmental protection, AWS has sophisticated fire detection and suppression equipment, fully redundant power infrastructure with integrated UPS units and high-end climate control systems to guarantee an optimal working environment for the hardware. For a more in-depth view, we refer you to the AWS Security Center.
All employees are trained in safety aspects and best security practices, including how to identify social engineering, phishing scams, and hackers. All employees undergo criminal history and credit background checks prior to employment. All employees agree to privacy safeguard policies outlining their responsibility in protecting client data. Binding internal security policies that are evaluated on a regular basis are in place. It is regularly checked whether all responsibilities have been clearly assigned and that they are practicable. There are documented rules and contingency plans. The computer systems of employees are secured by encrypted file systems and password authentication.
Pelcro is subject to an annual external SOC 2 audit. During 2022, Pelcro received its first certification for SOC 2 Type I (Security and Availability Principles).
Credit card security
A PCI Level 1 compliant provider for processing credit card payments is used. Security policy reviews are executed on a regular basis. Pelcro uses Stripe Elements to collect credit card information by default. This makes our clients eligible to the simplest method of PCI Compiance (AoC). This is possible because Checkout and Elements host all form inputs containing card data within an iframe served from Stripe’s domain—not yours—so your customers’ card information never touches your servers our ours.
All sensible access data is stored "hashed + salted". BCrypt encryption is used. Bcrypt is a password hashing function designed by Niels Provos and David Mazières, based on the Blowfish cipher, and presented at USENIX in 1999. Bcrypt is a cross platform file encryption utility. Encrypted files are portable across all supported operating systems and processors.
Secure Agile Development
Pelcro follows a secure agile development methodology to ensure security is at the center of its development process. That is achieved by incorporating security user stories in all our features, making developers responsible for secure development, developing unit tests with security in mind, conducting quality assurance with a hacker hat on. On top of all, we ensure we have a security culture across the organization.
Pelcro follows a bi-weekly release schedule for major, minor and patch updates and uses the Semantic Versioning 2.00 for all code releases. GitFlow is the primary workflow used by developers across the organization.
Third party security testing is performed by independent security researchers at irregular intervals on our hosting servers and application layers. Findings from each vulnerability assessment are reviewed with the assessors, risk ranked and resolved swiftly. Intruder.io is used as an automated vulnerability scanner to automatically scan against known security threats and emerging ones.
On the outside, network firewalling and hardened TCP/IP stacks to mitigate resource exhaustion attempts are utilized. Sniffing and spoofing attacks are prevented through the underlying infrastructure. Pelcro uses several CloudFlare services to secure services.
User and system activity is monitored for signs of abuse — by algorithms and humans.
All subcontractors are tested for privacy and security suitability. There are appropriate terms in place.