Data Security
You should take steps to protect against unauthorized access to your device and account by, among other things, choosing a robust password that nobody else knows or can easily guess and keeping your log-in and password private. We are not responsible for any lost, stolen, or compromised passwords or for any activity on your account via unauthorized password activity.
We retain the personal data we collect for so long as reasonably necessary to fulfill the purposes for which the data was collected, to perform our contractual and legal obligations, and for any applicable statute of limitations periods to bring and defend claims.
Processing
Scaleway is the data center provider for the Diggle application. Scaleway is located in France, so you can get full protection from GDPR. They list the following compliance and certifications:
- ISO 27001:2013 – Information security management system
- HDS – Health data hosting
- ISO 50001:2018 – Energy management systems
- GDPR
- Tier 3 Uptime Institute: 2014
- SWIPO
Scaleway employs a wide range of physical security measures to keep your data safe.
Scaleway’s compliance and certifications is covered here:
https://www.scaleway.com/en/about-us/our-certifications/
Scaleway’s security and resilience measures are covered here:
https://www.scaleway.com/en/security-and-resilience/
For the landing page we use DigitalOcean (US), for our hosting needs. The only personally identifiable information we store on this server is the contents of the access logs that we use to be able to identify malicious behavior. These access logs contain IP addresses. The logs are automatically deleted every two weeks.
Scaleway is also the hosting provider for images our users upload as part of the content they build
For the AI features in Diggle, we are using OpenAI. OpenAI receives only data relevant to the process of creating a Diggle, such as questions, responses, or additional prompts. This data is only used to provide the requested services and is not retained or used to train OpenAI’s models. OpenAI manages data according to strict retention policies and ensures compliance with GDPR and other applicable laws, including data encryption and access control measures.
Data at rest
- DigitalOcean: Stored IP addresses are not encrypted at rest.
- CloudFlare: Encrypts all data at rest, usually with disk-level encryption.
- Google Analytics: Data is encrypted at rest (currently deactivated)
- GSuite (Gmail, Meet): Data encrypted at rest.
- Stripe: All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of Stripe’s internal servers and daemons can obtain plaintext card numbers but can request that cards are sent to a service provider on a static allowlist. Stripe’s infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment and doesn’t share any credentials with Stripe’s primary services (API, website, etc.).
- Sentry: Uses encryption at rest.
- Slack: Data at rest in Slack’s production network is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within Slack’s systems—relational databases, file stores, database backups, etc
- OpenAI encrypts all data at rest (AES-256) and in transit (TLS 1.2+), and uses strict access controls to limit who can access data.
Data in transit
We use standard TLS ≥ 1.2, so encryption of data-in-transit, and are rated A+ by 3rd party vendor, SSL Labs. Privacy and protection of user data are of the highest importance to us and we both have technical and operational support in place to ensure this.
Backups and Data Loss Prevention
Data is backed up continuously, and we have an automatic failover system if the primary database fails. We are running a high availability managed Postgres database from Scaleway.
User Passwords
We hash and salt all passwords with the bcrypt algorithm. So no passwords will be leaked in the event of a breach.
Employee Passwords
Passwords that are used in the line of work are stored using a password management system. We enforce 2FA where applicable and that employees use screen locks whenever they are not by their workstations.
Payment Details
Credit card information is stored with Stripe, which is a Level 1 PCI compliant payment processor. Source: https://stripe.com/docs/security/guide
Security routines
Planned activity | Frequency |
Re-evaluation of transfer tools at appropriate intervals, developments in the third country that may affect the level of data protection, the necessity of our own mechanisms and to the degree they have been sufficiently implemented | Minimum 2 times a year |
Security training for personnel | Yearly and at beginning of employment |
Revoke system, hardware and document access | At end of employment |
Firewall settings verification for workstations and Network | 2 times a year |
Ensure all critical system libraries are up-to-date | Continuously |
Unit and integration tests to ensure system functionality and security | Continuously |
External penetration tests to ensure system security | By continuously assessing the need for new tests |
Human Resource Security
Diggle is developed by Specifique Norge as, a consulting company based in Oslo, Norway. Not everyone in Specifique works with Diggle and is not given access to information and systems that relate to Diggle.
We have a process in place that ensures that employees are given access to information and systems on a need-to basis only. When employment has ended, we revoke all access that the concerned employee had.
Our lead developer is responsible for the security of the IT infrastructure, develops plans against security threats, vulnerabilities, and risks ensures IT infrastructure supports security policies, and responds to information security incidents.
For everyone with access to systems and information, these guidelines must be respected:
- That employee will keep passwords, PIN codes, etc. entrusted to the employee, strictly confidential;
- That employee uses at least 2-factor authentication for systems with user data. We also require password-protected SSH keys.
- Firewall enabled on all workstations
- That employee will log off the computer or activate the screensaver configured with a password immediately upon completion of each work session
Continuous improvements
Our engineering practices ensure that we have security in mind in all stages of a development lifecycle. We will do our utmost to minimize any type of risk. Examples of Engineering practices:
- Clear code conventions enforced by static code analysis and automatic formatting.
- Use of well-known frameworks to protect against common attack vectors (XSS, CSRF, SQL Injection).
- Continuous check-up to keep libraries up-to-date.
- Continuous integration builds and testing with separate automated deployment for easy rollbacks.
- Continuous improvement process with the entire product team where security issues are evaluated. Yearly security review of the entire code base.
- All releases are tested before merging to production.
- Passwords are always kept in a password manager or as configuration.