Security

Contents

Intro

The projects hosted on bandgap.io represent the intellectual property and thought processes of its users. As such, we go to great lengths to ensure your data is secure. Our philosophy is to store the minimal amount of data that we can, but unless there is a breakthrough in homomorphic encryption, we must still hold much of it in plaintext. We answer common security questions below.

Is access to the bandgap.io datacenter restricted?

bandgap.io is hosted on gcloud, which has a sophisticated access policy, and is in compliance with ISO standards. In addition, gcloud drives are encrypted at rest.

How are user passwords stored?

User passwords are not stored, only the salted hash of the password is stored.

Does bandgap.io accept low-entropy passwords?

No, we have a password entropy validator.

How does bandgap.io keep up to date with security vulnerabilties?

We regularly check our site on SSL labs and securityheaders.io.

I still don't feel comfortable giving up credit card information. What can I do?

You do not give us credit card information. That information is given to Stripe, who then sends us an authentication token. Stripe is a PCI compliant payment provider.

How are customer support and transactional emails handled?

Customer support emails are managed by Protonmail, which is an end-to-end encrypted email provider. Transactional emails are hosted by Sendgrid, which is not an end-to-end framework, but uses TLS nonetheless. All our emails should pass SPF, DKIM and DMARC validation.

If a project is deleted, is the data actually deleted, or do you keep a backup?

When a user deletes a project, the data is irreversibly removed from our servers.

What should I do if I discover a vulnerability?

Please write us at security@bandgap.io.