At Pactly we take security seriously and we continuously keep on improving as the business grows. On this page, you will find an overview of our security practices.
Physical & Network Security
We use Amazon’s AWS platform and infrastructure for Pactly. Pactly employees do not have physical access to our production environment. Below is an excerpt from an AWS: Overview of Security Processes white paper. “Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in. They are also continually escorted by authorized staff.” Additionally, running our services on the AWS platform provides us significant protection against network security issues such as Distributed Denial Of Service (DDoS) Attacks, Man In the Middle (MITM) Attacks, IP Spoofing, Port Scanning and Packet sniffing by other tenants.
We have strong password policies for access to all our administrative operations including both infrastructure and Pactly services. Administrative privileges are restricted to a minimum number of employees.
Pactly application servers can be accessed only via HTTPS. We use industry-standard encryption for data in transit. To prevent CSRF we are using JWT tokens for authenticating all requests to our servers. We encode and sanitize all user input when they are displayed to ensure XSS is avoided.
Vulnerability Scanning & Patching
We periodically check and apply security updates for software and services. We follow relevant security authorities to stay updated on the latest discoveries.
Data Storage & Redundancy
We use MongoDB for our databases. There are automated backups on all our clusters. We backup data for up to 6 months.
We have set up a monitoring system to alert our Operations Team if there are availability issues with our service.
Vulnerability disclosure and reward program
Our team investigates all reported security issues. If you’ve discovered a bug in our security, please get in touch at firstname.lastname@example.org. We will respond as quickly as possible. We humbly request that you do not publicly disclose the issue until it has been addressed by us.
We understand the hard work that goes into security research. To show our appreciation for researchers who help us keep our users safe, we provide a reward program for responsibly disclosed vulnerabilities that meet the criteria below.
We reward the confidential disclosure of any design or implementation issue that can directly be used to compromise the confidentiality or integrity of our users’ data (such as by bypassing our login process, injecting code into another user’s session, or instigating action on another user’s behalf). As an early stage startup, we can offer a small reward of $50 USD for responsible disclosure of security-related bugs that meet the criteria. Rewards are paid out via Paypal only.
So far our security has been assessed by 20+ independent security researchers and we have paid out over 10 bounties.
NOTICE: We retain full discretion in the determination of whether a bounty is payable on the bug or not.