Security is one of the biggest considerations in everything we do. If you have any questions after reading this, or encounter any issues, please let us know. This document is intended to provide further transparency about how we protect this important data.
We regularly audit every layer of security. We maintain security procedures designed to ensure information we own, license and process is not accessed by any unauthorized person or business. We use a variety of multi-level security systems to control access to our services and information products.
We’ve partnered with Amazon Web Services to provide a secure and reliable cloud environment for our software. We use a combination of load balancers, firewalls, and VPNs to ensure that network access is restricted on an as-needed basis. We limit access to our production infrastructure and strongly authenticate that access.
All network communication in the Gerald platform occurs over secure SSL/TLS. Our internal infrastructure rejects all packets sent on ports other than port 443 and redirects all unsecured port 80 requests over to port 443. We regularly audit the details of our implementation and the certificates that we serve.
In addition to SSL connections, automated data communication goes through additional encryption layers for enhanced security during transit and at rest for sensitive data.
Gerald never stores your password in plaintext. All user passwords are stored using BCrypt2 with multiple rounds of hashing and a unique salt for each credential.
All user data is encrypted at rest with AES256-CBC. Decryption keys are stored on separate machines. None of Gerald’s internal servers and daemons are able to obtain plaintext data. Gerald’s infrastructure for storing, decrypting, and transmitting user sensitive data doesn’t share any credentials with Gerald’s primary services (API, website, etc.).
Our database backups and file storage encrypt everything at rest. Each customer is scoped to view only their data and no one else's. Our database supports TLS/SSL (Transport Layer Security/Secure Sockets Layer) to encrypt all of database’s network traffic. TLS/SSL ensures that database network traffic is only readable by the intended client.
We backup all customer content at least once daily. We do not utilize portable or removable media for backups. All backups are encrypted with AES-256.
Encryption at rest, when used in conjunction with transport encryption and our security policies that protect relevant accounts, passwords, and encryption keys, ensures compliance with security and privacy standards, including PII, HIPAA, PCI-DSS, and FERPA.