Since our business deals with not just restaurant customer feedback, but also feedback for medical clinics, dentist offices, banks, and other businesses where highly sensitive information could be transferred, we've taken steps to increase security measures beyond our already paranoid security measures.
This article outlines most of what we have in place. Some are new and some have been in place for years. We aren't outlining all of our security measures for operational security purposes.
Encryption Everywhere
Our entire website protected by SSL/TLS (even on this blog). We use RSA encryption with a 2048 bit key size. RSA uses an asymmetric key encryption system that is based on the difficulty of factoring extremely large composites of prime numbers. What does that mean? It's strong.
We also encrypt our entire database. So if a hacker ever obtained access to the database, all the data is encrypted with the industry standard AES-256 encryption algorithm. AES became effective as a federal government standard in 2002. AES is the first (and only) publicly accessible cipher approved by the National Security Agency (NSA) for top secret information.
Protected Passwords
You are the only one who knows your password. We don't even know your password. Due to our secure storage measures, passwords cannot be retrieved on our end. If you forget your password, you can always request a reset. We'll never ask you for your password.
Request Forgery Protection
We've had it in place for ages, but we improved the strength of protection from cross-site request forgery. That means that someone can't take action on your account by sending a request with your cookie. Without this protection, someone could send a request on your behalf to our servers, just by you visiting a website where some malicious JavaScript resides. But now you're protected.
Secure Cookies
The cookie that identifies you is in secure mode, which means that if you ended up on the non-secure version of our site (which is somewhat impossible since we redirect you automatically to the secure version), your browser won't send your authentication cookie. It's the power of browsers and our website working together to protect you :)
HTTP-Only Cookies
When you tag a cookie with the HttpOnly flag, it tells the browser that this particular cookie should only be accessed by the server. Any attempt to access the cookie from client script (like JavaScript) is strictly forbidden.
Security Headers
When your browser requests pages and other assets from our servers, we send 4 special response headers that tell your browser the security measures we expect it to take.
This causes the browser to trigger special security protections that are built into the browser. Websites that don't send these headers are treated in a less secure manner, which can lead to multiple vulnerabilities.
Security Scans
We perform regular security scans (we won't provide details, that's part of our security protocol), but here's a recent grade from one of our scans:
You can feel safe working with us. We'll always work hard to never lose your trust!