Security & Privacy
Security and privacy is baked into the architecture of Slapdash. Here are the things we do to make sure we are good stewarts of any data we are in contact with.
Certifications and Compliance
SOC 2 Type I: Slapdash completed an independent audit for our SOC 2 Type I report, which verifies our consistent application of the Trust Services Principles and Criteria over time.
Penetration Testing: We regularly run penetration testing by independent security firms as part of our SOC 2 process. Protection against XSS, CSRF, SQL Injection and other common vulnerability types is baked into the foundation of Slapdash core.
When you connect an app to Slapdash, we always try to request the minimal set of permissions possible to power functionality.
If we do store data from a connected application, it's stored encrypted on disk, in-transit and in the data store
In the data store, content and keys are stored using ECIES (with Secp256k1 curve and AES256 cipher in CTR mode), public-key-encrypted with individual per-user, per-app key pairs. Keys are stored in a separate, secure cluster.
One thing that is not encrypted is the reverse index, but we do take care to remove position from the index and limit employee access to the search infrastructure.
We Can't See It
Slapdash employees can't accidently or even deliberately see the contents of any person's data. This is enforced technologically and with company policy.
We explictly don't have any tools to log in as a person or to query for a person's data. Data is only decrypted at request-time for the logged-in user by our servers.
While we are not zero-access yet, we are building in that direction.
Customer data is physically and logically separated, even when using Slapdash for Teams.