Security

Ensuring Product Security

To enhance security, we employ Single Sign-on (SSO) and Two-Factor Authentication (2FA) mechanisms. SSO, specifically SAML-based, streamlines user authentication across your systems, eliminating the need for extra login credentials. For those reliant on password-based access, 2FA offers an additional layer of protection.

Managing Permissions

Within our application, we grant you the ability to customize permission levels for your team members. These permissions span various aspects, such as app settings, billing, user data, and the management of business-related information, as well as message editing and distribution.

Robust Password and Credential Practices

Our platform adheres to stringent password complexity standards. Furthermore, credentials are stored utilizing a PBKDF function, specifically bcrypt, ensuring their resilience against unauthorized access.

High Uptime Standards

We maintain an impressive uptime of 92.9% or higher. Past month statistics can be reviewed at https://golofty.io/.

Network and Application Safety

Data hosting and storage occur in Google Cloud facilities across multiple regions, including the USA (us-east-1), Dublin, Ireland (eu-west-1), and Sydney, Australia. Our platform’s architecture encompasses failover and disaster recovery strategies, leveraging Google Cloud’s three availability zones for uninterrupted service in the face of data center failures.

Securing Virtual Private Cloud

All our servers reside within an isolated virtual private cloud (VPC). Network access control lists (ACLs) are in place, thwarting unauthorized requests from infiltrating our internal network.

Vigilant Backups and Monitoring

At the application level, we generate comprehensive audit logs for all activities. These logs are shipped for analysis, akin to Graylog but on Google Cloud’s counterpart. We also employ storage similar to S3 for archiving. Every action within the production console or the Lofty & GoLofty.io Platform app is meticulously logged.

Granular Permissions and Authentication

Access to customer data is exclusively granted to authorized employees necessitating it for their roles. Our platform operates entirely over HTTPS, and a zero-trust corporate network paradigm is upheld, with no special privileges extended to being on the platform’s network. We deploy SAML SSO, 2FA, and robust password policies across platforms like GitHub, Google, AWS, and golofty.io to fortify access to cloud services.

End-to-End Encryption

All data exchanged with the golofty.io is subjected to 256-bit encryption during transit. Our API and application endpoints exclusively support TLS/SSL, and they attain the highest rating of “A+” on Qualys SSL Labs’ tests. Encryption at rest follows industry-standard AES-256 encryption.

Thorough Security Testing

We continually scan for vulnerabilities using third-party security tools. Our dedicated security team promptly addresses any identified issues. Biannually, third-party security experts conduct rigorous penetration tests on our application and infrastructure. Additionally, we engage in a ‘bug bounty’ program with Bugcrowd, enabling security researchers to submit vulnerability reports.

Swift Incident Response

Our security event protocol encompasses escalation procedures, rapid mitigation, and post-incident analysis. All employees are well-versed in our security policies.

Comprehensive Security Measures

Training: All employees partake in annual Security and Awareness training.

Policies: Our evolving security policies span a range of subjects and are regularly communicated to all employees.

Employee Vetting: Adhering to local laws, we perform background checks on new employees, encompassing employment verification and criminal checks.

Confidentiality: Confidentiality agreements are an integral part of all employee contracts.

PCI Compliance: Payments are processed through Stripe, our partner. Details about their security and PCI compliance can be accessed at Stripe’s security page ( https://stripe.com/docs/security ).

Questions About Security?

If you suspect the discovery of a security vulnerability, please reach out to our security team at security [email protected] .