Your confidence in the security of our services and protection of your data is really important to us. To give you better confidence regarding what we do to fulfil our responsibilities, we’ve put together the following overview of our approach to security. This page sits alongside and in support of our approach to privacy and our use of cookies.

What security features have we deployed?

Security is best implemented through a mixture of people, process and technology controls in many layers of our service. Below is a list of the main points, but there's lots going on behind the scenes too;

  • We perform regular risk reviews to identify ways in which we can improve the security of, taking steps to find and mitigate risks to address any areas that we believe can be improved upon and further secured.
  • Our hosting is with industry-leading AWS. You can view their security page here.
  • Access to customer data or our application and infrastructure is provided strictly on a need-to-know basis, enforcing 'Least Privilege Access' principles. We conduct reviews of our roles and access controls regularly to ensure this principle hasn't slipped.
  • We take full daily backups of our service and the data within it to ensure any impact from a disaster is minimised in terms of recovery point and recovery time (we can get back up and running really quickly, and without losing much data).
  • We employ 256-bit Advanced Encryption Standard (AES) for all storage and transfer of data, to reduce risks of eavesdropping or data theft.
  • All system administrator access makes use of Two Factor Authentication so that account misuse threats are minimized
  • We operate regular vulnerability scanning across our applications and infrastructure to ensure rapid identification and remediation of vulnerabilities.
  • We operate a program of responsible disclosure and undertake penetration testing and active red-team testing to find and mitigate common attacks.
  • We build security into our development and operations (DevOps) processes, to run a secure development lifecycle with secure-by-design principles adopted from the earliest stages in all activities.
  • We use different environments for development, testing and live operations of our services. These environments are separated both logically and physically from each other and no customer data is used in testing or development.
  • Comprehensive audit logs are kept for changes made by administrators. They provide records including type, action, performer and timestamp that it was executed.
  • Our full service is monitored 24/7 for security incidents, with response plans in place and tested for common scenarios.
  • Billing security is handed off to our payment partners; we do not store any payment card information
What security certifications do we have?

We're a (very) young company, and still in the process of building our operations and platform. That said, we are building with the intention of getting certified to a number of industry standards. This section will be updated as we make progress.

How can you report a security vulnerability?

If you are a current customer and suspect your account has been compromised, please get in touch with us immediately via our support chat or directly by email to works vigilantly to keep our (and our customers') information secure, and we recognise the important role that security researchers can help play in both maintaining and improving our security posture. We operate a responsible disclosure program on the following basis:

  • You must act in good faith to avoid privacy violations, destruction of data, and interruption or degradation of our services (including Denial of Service).
  • The following specific activities are explicitly forbidden under our responsible disclosure program, and any such activity will be considered an attempt to compromise our services and be liable for prosecution under appropriate laws.
    • Please do not perform any social engineering attacks;
    • Please do not carry out any distributed denial of service (DDoS) attacks, including large scale account enumeration or brute force that might lead to the lock-out of a real user's account;
    • Please do not use any automated vulnerability/scanning tools (existing measures in place may permanently block an offending IP address); and
    • Please do not carry out any attack against our corporate email ( and associated infrastructure.
  • The following reported issues would be considered to be outside the scope of our program:
    • Our policies and implementation of SPF/DMARC records.
    • Password, email and account policies, such as email id verification, reset link expiration, password complexity.
    • Attacks requiring physical access to a user's device.
    • Host header injections unless you can show how they can lead to stealing user data.
    • Reports of spam (ie. any report involving the ability to send emails unless the applicable rate limits we enforce can be bypassed).
    • Vulnerabilities affecting users of outdated browsers or platforms.
    • Vulnerabilities involving active content such as web browser add-ons.
    • Social engineering of employees, contractors or customers.
    • Any physical attempts against property or data centers.
    • Any report that discusses how you can learn whether a given username or email address has a account.
    • Any access to data where the targeted user needs to be operating a jailbroken/rooted mobile device.
    • Content spoofing vulnerabilities (where you can only inject text or an image into a page).
    • Ability to share links without verifying email.
    • Absence of rate limiting, unless related to authentication.
    • IP/Port Scanning via services unless you are able to hit private IPs or servers.
    • Disclosure of public information or information that does not present risk to or our customers (eg. web server type disclosure).
    • Phishing risk via unicode or right-to-left-override issues.
    • Vulnerabilities contingent on a client system previously being compromised.
  • You should provide a thorough proof-of-concept/replication of your findings including the steps taken; any videos and images; a fully documented description and business impact details, and to only.
  • Information relating to our technology and information security arrangements (unless made public by us) is confidential. Any information you receive or collect about or any of our customers as part of your research prior to making a Responsible Disclosure submission, as detailed in this program, must be kept confidential and only used in connection with the Responsible Disclosure. You may not use, disclose or distribute any such information without our prior written consent. Any such information should be deleted once your submission has been received.
  • reserves the right to change or withdraw this program at any time and is under no obligation to reward any submission in any way. We will not negotiate in response to duress or threats (eg. threat of withholding the vulnerability, or of releasing the vulnerability or any exposed data to the public). In any and all such cases, we will engage the appropriate authorities as necessary.

Any security vulnerabilities discovered within the parameters of our responsible disclosure program should be reported via our support chat or directly by email to


Who deserves our praise and kudos?

This is a place for us to offer thanks and praise to security researchers who took the time to report issues and observations to us.