Security
We take security with the utmost importance here at Interseller. Here’s what we do to ensure we keep all of our data safe.
Encryption.
- All requests to Interseller including any interim connections across Interseller’s infrastructure is secured with HTTPS and/or SSL. Any connection or request using unsecured protocols, like HTTP, are redirected to its counterpart or terminated.
- Interseller uses HSTS, a protocol with well-known browsers that lets them know and enforce that our website uses HTTPS and should ignore HTTP.
- All data and customer data is encrypted at rest and encrypted in transit.
- All secret keys and customer keys (e.g. integrations) are encrypted with hardware security modules (HSM) for extra protection.
- Credit cards are stored and processed security with Stripe, which is PCI Level 1 compliant.
Infrastructure.
- All data is hosted and secured in a private environment. All publicly facing endpoints and IP addresses are firewalled.
- Access to our environment requires two-factor authentication and is allowed only from well-known employee IP addresses. Access attempts are logged securly and audited in real-time.
- We utilize denial of service (DOS) protection services and web application firewalls (WAF) to ensure our services are protected from attacks.
- Our infrastructure is audited automatically and our team follows a strict 30-day SLA to patch all infrastructure vulnerabilities.
Compliance.
- Interseller is Privacy Shield certified and complies with the EU General Data Protection Regulation (GDPR). If Privacy Shield is not sufficient for your organization, we are more than happy to sign a data processing agreement (DPA). Please email hi@interseller.io to start the process.
- Interseller is also compliant with the California Consumer Privacy Act (CCPA).
- You can request your data to be deleted at any time which is usually processed within 7-10 days of request.
Inbox Access.
- Interseller has access to your inbox so that we can send emails on your behalf and know when your contacts in Interseller reply back to you.
- Interseller does not store any copies of your inbox on its servers. Interseller does keep copies of emails we send on your behalf and the first response from a contact directly to an email we’ve sent.
Third Parties.
- Interseller utilizes third parties to help us with support and account management services.
- Data shared to our third parties are limited to name and email address only. Absolutely no email data is ever shared with our partners.
- Interseller periodically audits its third-parties and partners to ensure the that our customer data is kept secure.
Internal Policies.
- We enforce two-factor authentication (2FA) with all sensitive data processors such as Slack, G Suite, Intercom and Stripe.
- We utilize a password manager to secure online accounts and share them across our team.
- We go through yearly scheduled security testing including security assessments with our partners. To obtain a copy of our report, please email hi@interseller.io.
- Interseller is SOC 2 certified and has finished its Type 2 audit. To obtain a copy of our report, please email hi@interseller.io.
- All employees and contractors sign a non-discolsure agreement.
Bounty Program.
We ask for security researches to report any security exploit to our HackerOne page under app.greenhouse.io. Qualifying reports will be answered within 5 days and will be paid on patch release. Reward amounts will depend exclusively on the severity of the vulnerability and has an upper limit of $500.00 USD. We do not reward researches for the following:
- DOS;
- Automated scripts;
- Mixed-content scripts;
- Social engineering;
- Regular bugs;
- Email flooding;
- Or not adhering to “best practices”
Please include the following information when submitting a report:
- Technical details of the vulnerability. Please include step-by-step instructions so we can reproduce it on our side. A video is greatly appreciated.
- Scope and impact of the vulnerability including what type of data an attacker can access.