Security Policy

Smoresels.com Security

This privacy policy was last updated on 23 June 2019

We know your metrics are extremely important to you and your business(s). Our team works continuously to protect the privacy, security and integrity of your account and data. The security of your information is required for our success as a business and we take steps every day to provide a secure Smoresels.com experience for you.

Note:

This article is intended for a technical audience.

Physical Security

We ensure that the machines within the Smoresels.com infrastructure are protected from the ground up. We use Namecheap Web Services (NCWS) for our hosting. NCWS is an industry leader and provides a highly scalable cloud computing platform with end-to-end security and privacy features built in.

Access to these data centers is strictly controlled and monitored using a variety of physical controls such as; intrusion detection systems, environmental security measures, 24 x 7 on-site security staff, biometric scanning, multi-factor authentications, video surveillance and other electronic means. All physical and electronic access to data centers by Namecheap employees is authorized strictly on a least privileged basis and is logged and audited routinely.

NCWS maintains an impressive list of reports, certifications and independent assessments — including ISO 9001, PCI DSS Level 1, SOC1, SOC2, SOC3, the EU Data Protection Directive (Directive 95/46/EC) among others — to ensure complete and ongoing state-of-the-art data center security. They’ve devoted an entire portion of their site to explaining their security measures and compliance certifications which you can find here: https://www.namecheap.com/security/.

Smoresels.com employees do not have physical access to our servers in NCWS. Electronic access to NCWS servers and services is restricted to a core set of approved Smoresels.com staff only.

Data Security

Passwords:

All passwords for Smoresels.com accounts are filtered from our logs and are one-way encrypted in the database using the bcrypt (salted) 184 bit hash function derived from a “Blowfish cipher”. Login information is always sent over HTTPS (see “Communication Security”).

Nobody on the Smoresels.com team can view your account password. If you lose your password, you will need to go through our password reset procedure, which will email you a link to choose a new password or by emailing us at tech@smoresels.com.

Credentials for Third-Party Services

When you connect Smoresels.com to a third-party service we store credentials that allow us to fetch data from that service. We use these credentials to continuously update our website with the latest information available. If the third-party service allows us to choose how much of your data we can access, we will always request the minimum amount of data necessary to configure widgets and update our website.

We encrypt credentials for these services with the AES-GCM cipher before storing them in our database, and we use a different 256-bit encryption key for each service.

Usage of these encryption keys is controlled by a tool called EVSSL (provided by Comodo) that we run within our infrastructure. EVSSL acts as a gatekeeper, ensuring that only specific applications within our system are allowed to access your data. EVSSL has been audited several times by independent security experts, and we closely monitor announcements from Comodo to ensure we’re always running the most secure version of EVSSL. See “Application, Systems and Software Security” for more details.

Data Redundancy and Backups

We ensure that all customer account and website data is regularly backed up. Access to these backups is tightly controlled and audited.

Network Security

All servers and databases have firewalls to permit the minimum traffic necessary to run the service. Access to administration tooling used by Smoresels.com staff requires authentication and is only accessible from a restricted set of IP addresses.

Systems and Website Security

We adhere to industry best practices when developing the website Smoresels.com. All changes made to our applications and infrastructure are peer reviewed by a separate member of staff, and the changes are recorded in an audit log.

We have a designated team that keeps our website and its dependencies up to date, eliminating any potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the site.

Communications Security

All communication between your computer and Smoresels.com is encrypted using HTTPS (256-bit SSL). This is the same level of encryption used by banks and financial institutions and is designed to prevent third parties from seeing sensitive information you are sending to/receiving from Smoresels.com.

We also use HTTPS when fetching your data from third party services.

There are three exceptions where we cannot use HTTPS:

When you specify a URL that does not use HTTPS for a polling widget,

When you use an integration with an API that does not support HTTPS,

When you use a custom domain to access your Smoresels.com account,

Security and Privacy Features Available on Smoresels.com

The highest security risk to any system is usually the behavior of its users. We provide you with the tools you need to protect your own data. These Smoresels.com features have been designed keeping in mind stringent, enterprise-level security requirements.

User and Admin Account Security

We provide a role-based administration system for user accounts. There are 4 roles: owners, admins, organization view-only users and website view-only users; each with different encryption and permissions.

If you are using integrations, or polling widgets within your network, please whitelist Smoresels.com’s outbound IP addresses if it is not already, to gain access to the Smoreseles.com website.

Employee Access and Security

We regard your business(s) metrics as private and confidential.

Our production environment is separate from the other environments — including development and QA. NCWS provides sophisticated Identity Access Management (IAM) to control access to its resources. We disable root logins on all our servers, and require all staff managing servers to use SSH keys.

Smoresels.com employees are granted access to systems and data based on their role in the company or on an as-needed basis.

Access to customer data by Smoresels.com employees is only used to assist with support and to resolve customer issues. For such cases, we will get your explicit consent each time. Violation of this policy is a serious matter requiring investigation and appropriate disciplinary action up to and including termination, as well as legal action.

When working on a support issue we respect your privacy as much as possible and only access the minimum data needed to resolve your issue.

Maintaining Security

Smoresels.com adheres to industry best practices for website design and development. We always thoroughly test new features in order to rule out potential attacks such as CSRF, XSS, SQL injections, among others.

We constantly improve our security policies as the threat landscape changes. We subscribe to all relevant security bulletins so that we can promptly address any security issues in the software we use.

Credit Card Security

Smoresels.com is PCI DSS compliant. For additional security, when you purchase a paid Smoresels.com product or subscription, your credit card data is not transmitted through nor stored on our systems. All of Smoresels.com’s credit card processing is handled securely by Square or PayPal — company’s dedicated to this task.

Square and PayPal are both certified to PCI Service Provider Level 1 — the most stringent level of certification available. You can read more about their privacy and security policies here: https://squareup.com/us/en/security and https://www.paypal.com/us/webapps/mpp/paypal-safety-and-security.