We put security, privacy, and data protection at the core of our product. We are GDPR compliant and constantly strive to go above the minimum regulatory standards.
SOC 2 Compliance
SOC 2 Type II (pending audit), ISO/IEC 27001 (pending audit)
GoRetro undergoes black box penetration testing, conducted by an independent, third-party agency, twice a year. Information about any security vulnerabilities successfully exploited through penetration testing is used to set mitigation and remediation priorities. GoRetro will provide a summary of penetration test findings upon request.
End to End Encryption
GoRetro provides data encryption in transfer via 256 bit Secure Socket Layer (SSL) technology. We use Google Cloud Platform to store all our data and it has default encryption at rest using either AES256 or AES128 technology. You can read more about Google Cloud encryption here: https://cloud.google.com/
Our passwords are stored securely by using bcrypt technology provided by Google Cloud. We also enforce strong passwords.
Users are required to verify the ownership of the account email via a link provided in an automated email prior to creating data in GoRetro.
GoRetro is hosted on Firebase, which is part of Google Cloud Platform. Our data is hosted in US Central. You can read more about GCP security here: https://cloud.google.com/security/.
GoRetro does regular backups once per day. All backups are encrypted by default. Backups are deleted after 30 days of being created.
Attack Prevention & Mitigation
We use Firebase for authentication services and it has a monitor feature to block attacking IPs. Google Cloud Platform’s intrusion detection involves tightly controlling the size and make-up of Google’s attack surface through preventative measures, employing intelligent detection controls at data entry points, and employing technologies that automatically remedy certain dangerous situations.