Security

Overview

At Heresy we believe that security and data protection is a fundamental part of every software application, not a feature or a nice-to-have. We continuously assess our infrastructure, applications, operations and even third-party services we use, in order to provide the best possible protection for our users.

Infrastructure and Networking

Heresy's application and database are hosted on Salesforce's Heroku, which runs on the industry-leading Amazon Web Services. For more information on Heroku's and Amazon's security, please check:

Our web servers use the strongest grade of HTTPS security (TLS 1.2), so requests between server and client are encrypted and protected from eavesdroppers and man-in-the-middle attacks; we also use WSS (WebSockets over TLS/SSL).

Application security and data protection

Heresy has been certified under UK Government's Cyber Essentials scheme since 24th August 2017. We are also compliant with EU's General Data Protection Regulation (GDPR) and implement many practices found in ISO 27001 which we plan to obtain.

We collect the minimum amount of personal identifiable information (PII) when users sign up: first name, last name and an email address. We use the data to provide the services and do not sell or rent out any PII with 3rd party services and will never do without explicit user consent.

Our web application framework (open source) utilises various techniques to prevent a variety of attacks, including SQL Injection, XSS and CSRF attacks. We use state-of-the-art encryption and hashing libraries.

Server and application logs are regularly reviewed and constantly monitored. We also have an automatic backup system in place, with all backups securely stored and available for fast recovery.

Operational security

Heresy employee computers have strong passwords, encrypted disks, firewalls, and, where applicable, inbound and outbound network traffic monitoring and alerting. No Windows computers or servers are used at all other than in isolated testing environments.

All employees are required to use 2FA (when available) and a randomly generated strong password for each services they use. We follow the principle of least privilege, so access to services is explicitly granted only when needed and reviewed on a regular basis.

Further information

If you have any questions, don't hesitate to Shoot us an email.