AtHomeHere Limited (“@homehere“, “we” or “us“) consider security, privacy and protection of our customers' data as our top priority. Equally, transparency is one of the principles on which our company is built and we aim to be as clear and open as is prudent about how we implement security. If you have questions regarding security, we are happy to answer them.
Confidentiality
We place strict controls over every our employee's access to customer-specific data ("Customer Data"), and are committed to ensuring that Customer Data is not seen by anyone who should not have access to it.
The operation of our services does requires that some employees have access to the systems which store and process Customer Data. For example, in order to diagnose a problem you are having with our services, we may need to access your Customer Data. These employees are prohibited from using these permissions to view Customer Data unless it is necessary to do so. We have technical controls and audit policies in place to ensure that any access to Customer Data is logged.
All of our employees are bound to our policies regarding Customer Data and we treat these issues as matters of the highest importance.
Personnel Practices
We conducts background checks on all new employees. Every employee receives privacy and security training on an ongoing basis. All employees are required to read and sign our information security and confidentiality policies.
System security, data privacy and protection
We work only Tier-1 systems and services providers and have strict processes in place to ensure the very highest level of protection and privacy of your data.
Physical storage:
All servers and data are hosted on Amazon Web Service (AWS). Amazon is a recognised world leader in Infrastructure as a Service (IaaS). AWS take data security very seriously both in terms of physical access to servers and security over the network. Amazon has world-class level dedicated security teams to protect client infrastructure against malicious attacks. Physical access is strictly controlled and AWS complies with GDPR and the EN-EU privacy shield.
You can find more info here: https://aws.amazon.com/compliance/
Deletion of Customer Data
We provide the option for Owners to delete their own Customer Data at any time during their trial or commercial subscription term. Within 24 hours of notification by the Owner, we delete all information from currently-running production systems.
Data Encryption In-transit and at rest
We implement the latest recommended secure cipher suites and protocols to encrypt all traffic in transit. We promptly to upgrade the service to respond to new security weaknesses as they are discovered and implement best practices as they evolve. Customer Data is encrypted at rest.
Technology stack
We use the leading and most recognised technologies in our database stack including MongoDB as our massively scalable database engine and Linux-based servers. Security updates are applied as soon as published and all ports and firewalls are correctly configured.
Network communication:
All network communication is encrypted using secure SSL connections.
Backup and availability:
We understand that you rely on our services to work. We're committed to ensuring a highly-available service that you can count on. Our infrastructure runs on systems that are fault tolerant, for failures of individual servers or even entire data centres. Our operations team tests disaster-recovery measures regularly and staffs an around-the-clock on-call team to quickly resolve unexpected incidents.
Replication
Your data is replicated to multiple database instances in real time and backed-up daily in case of data corruption. Backups are stored in remote data centre environments to minimise the potential for data loss. Our architecture is built with horizontally-scalable applications in a high availability fault-tolerant configuration to ensure minimum downtime.
Code quality reviews:
Our application is regularly tested by an independent third-party against known issues including SQL-injection and XSS cross-site scripting. We use a modern development frameworks to limit risk and our development team is trained in all major areas of weakness. Code is carefully tested and reviewed during a number of QA release cycles before being released to production.
Password:
We do not store your password only an encrypted version of it. We will never ever ask you to give us your password - except on your login page. It is your responsibility to ensure your password and API keys are safe and that you do not give them to anyone.
Credit card data
We do not store your payment card detail, they are store by our payment processor Stripe.
Last updated: April, 2020
