Security & Trust
Last updated March 6, 2024
This document summarizes the security controls used to protect Paidnice software, systems and customer data.
Access Controls
Staff user logins
- controlled with Google Account
- Require strong passwords enforced by Google
- Use and require 2-factor authentication
- Full audit logging via Google Workspace
- All staff required to use password management with strong unique passwords
Paidnice application servers
- Hosted with Salesforce Heroku Cloud platform
- Login to Heroku requires 2-factor authentication
- Full access logs
- Activity logs
- Secure multi-tenant cloud platform
- Access restricted to engineering team and senior management
External Systems
Microsoft GitHub
- Control access to application source code
- Require 2-factor auth
- All changes logs and reviewed
- Software deployments managed via Github Actions and require engineer approval
Marketing, Billing and Customer Service tools
- Intercom for customer support - secured with Google Account login
- Mixpanel for product analytics
- Stripe billing data - all credit card and customer billing information is stored with Stripe.
- Paidnice does not handle credit card data directly.
- Access is restricted to senior staff and requires 2-factor authentication.
Software controls
Application access
- All user logins managed with Okta’s auth0.com (https://auth0.com)
- All 3rd party tokens stored encrypted via AES 256
- All data encrypted in transit via SSL
- Data stored in Heroku Postgres database
- Continuous Protection used to automatically and continuously backup all application data.
- Data encrypted at rest via AES-256, block-level storage
- Application access logged to Google Cloud
