We value your data and are committed to keeping it safe and secure. This document outlines some of the ways handle your data with care in transit and at rest.
Organizational Security
We are a small (but mighty!) team. Here are some of the best practices we’ve adopted:
- Access to servers, source code, and third-party tools is limited to core team members.
- We use strong, randomly-generated passwords stored in a password manager (1Password).
- Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data.
- We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.
- We don’t copy production data to external devices (like personal laptops).
Encryption
All data is encrypted in transit and at rest.
When a user connects a third-party service (like Google or Twitter) to Buttondown, we only receive a token that allows us to access their data. We do not store any of that data, and we encrypt it before storing it in our database.
Infrastructure
Our application is hosted in two separate environments: Vercel and Heroku. Our database is hosted on AWS in the us-east-1 region.
Data Retention
We only retain data for as long as it is necessary to provide the service. We do not sell or share your data with third parties.
Logging
Application logs are stored in Better Stack and subject to a 30-day retention policy.
FAQ
Is Buttondown GDPR-compliant?
Yup; you can read more about it here.
Is Buttondown SOC 2-certified?
No. While we'd like to reach these certifications, we don't have a timeline or plan to do so. Our core infrastructure providers are SOC 2-certified, but we're not.
How do I report a security issue?
Please email us at support@buttondown.com.