Security policy

We take security seriously here at Overloop, and we are proud to exceed the industry standard when it comes to protecting your organization.

Infrastructure

All of our services run in the cloud. We don’t host or run our own routers, load balancers, DNS servers, or physical servers. Our service is built on Heroku (Salesforce, Inc.) which itself is hosted on Amazon Web Services (AWS). They provide strong security measures to protect our infrastructure and are compliant with most certifications. You can read more about their practices here and here.

Security features

  • DDoS attack protection

    We use a fast, globally distributed and intelligent always-on DDoS protection powered by Cloudflare, Inc.

  • Data encryption in transit

    All data sent to or from our infrastructure is encrypted in transit following industry best-practices using TLS. You can see our SSLLabs report here.

  • Data encryption at rest

    All our user data (including passwords) is encrypted using battled-proofed encryption algorithms in the database by our database providers Heroku (Salesforce, Inc.) and Redis Labs, Inc.

  • Custom data removal

    We retain our users data for a period of 60 days after their subscription ends. All data is then completely removed from our servers with the exception of payment and invoices data. Every user can request the removal of usage data by contacting support.

  • Disaster recovery

    We back up all our critical assets and regularly attempt to restore the backup to guarantee a fast recovery in case of disaster. All our backups are encrypted.

  • Application security monitoring

    We use Bugsnag to monitor exceptions, logs and detect anomalies in our applications. We collect and store logs to provide an audit trail of our applications activity.

  • Application security protection

    • A WAF is set up to filter incoming requests trying to compromise the service.
    • A firewall is systematically used on Overloop’s servers to prevent access from non-approved IP addresses.
    • Critical admin interfaces are protected using at least double-authentication.
    • Our software infrastructure is regularly update using automatic update mechanisms when possible.
    • End-to-end encrypted messaging systems are available to Overloop’s employees and contractors, and used for most communications.

  • Secure development

    We apply development best practices to mitigate known vulnerability types such as those on the OWASP Top 10 Web Application Security Risks.

  • Payment processing

    All payment processing is outsourced to Stripe which is certified
as a PCI Level 1 Service Provider. We don’t collect any payment information and are therefore not subject to PCI obligations.

  • Restricted data access

    Our strict internal procedure prevents any employee from gaining access to user data. Limited exceptions can be made for customer support.

Vulnerability disclosure program

No technology is perfect, and we believe that working with skilled security researchers across the globe is crucial in identifying weaknesses in Overloop. If you believe you’ve found a security issue in our product, we encourage you to notify us and welcome working with you to resolve the issue promptly.

Report a Security Issue
Powered by HackerOne

Have further questions about our approach to security and how we protected your data?

Contact Us