FunRetro Security

End to End Encryption

FunRetro provides data encryption in transfer via 256 bit Secure Socket Layer (SSL) technology. Our SSL has a grade A+ on SSL Labs quality report.

We use Google Cloud Platform to store all our data and it has default encryption at rest using either AES256 or AES128 technology. You can read more about Google Cloud encryption here: https://cloud.google.com/security/encryption-at-rest/.

reCAPTCHA

We use Google reCAPTCHA security service that protects FunRetro from spam and abuse. We use it on our login form to block bots.

Password Encryption

Our passwords are stored securely by using bcrypt technology provided by Google Cloud. We also enforce strong password complexity by requiring minimal of 8 chars, 1 uppercase, 1 lowercase, 1 number and 1 special char upon registration on the app.

Payments

Payments are provided by Paddle, our third party provider. We don't store any billing information on our servers. Paddle is PCI-Compliant and adhere to the Payment Card Industry Data Security Standard. You can read more about it here: https://paddle.com/taxes-fraud-compliance/.

Data Center

FunRetro is hosted on Firebase that is part of Google Cloud Platform. Our data is hosted in US Central. Google Cloud is a very secure platform that has multiple certifications: ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3, PCI DSS and CSA. You can read more about it here: https://cloud.google.com/security/.

Physical Access Control

FunRetro is hosted on Google Cloud Platform. Google data centers feature a layered security model, including extensive safeguards such as: Custom-designed electronic access cards, alarms, vehicle access barriers, perimeter fencing, metal detectors and biometrics.

Backups

FunRetro does regular backups once per day. All backups are encrypted by default. Backups are deleted after 30 days of being created.

Penetration Testing

FunRetro undergoes black box penetration testing, conducted by an independent, third-party agency, twice by year. For black box testing, FunRetro provides the agency with an real admin account for testing all features and extra details about endpoints and software architecture.

Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. FunRetro will provide a summary of penetration test findings upon request.

Code Practices

We ensure we have high quality code by using unit tests and code analysis tools (Code Climate) for continuous integration. We also have a staging environment to run manual tests, once we ensure everything is fine we deploy it to production. We do deploys almost every week.

Data Belongs to You

We strongly believe that your data belongs to you. You can modify it, export it and delete it whenever you want. You can read more about what data we collect and how we use it on our Privacy Policy.

Availability

FunRetro uses Firebase services extensively, and it's hosted on Google Cloud Platform which is a very reliable service and has high availability. You can check Firebase live status here https://status.firebase.google.com/.

Attack Prevention & Mitigation

We use Firebase for authentication services and it has a monitor feature to block IP's that are trying to attack us. Firebase limit the number of new Email/Password and Anonymous sign-ups from our application with the same IP address.

Also Google Cloud Platform’s intrusion detection involves tightly controlling the size and make-up of Google’s attack surface through preventative measures, employing intelligent detection controls at data entry points, and employing technologies that automatically remedy certain dangerous situations.

Bug Bounty Program

FunRetro will give recognition and compensation for people reporting bugs and issues, especially those pertaining to exploits and vulnerabilities. To report bugs please send email to security@funretro.io.

Business Continuity

FunRetro keeps daily encrypted backups of data on Firebase. While never expected, in the case of production data loss, we will restore data from these backups.