Last updated: 6 Oct 2016
Security and reliability is our number one priority at Opphound so we have designed our processes and systems to meet industry best practices. Specifically we have applied the principles laid out in:
In the following sections we have answered several specific questions that customers may have.
Opphound requires all users to sign on with an email address and password. The email address is the primary form of communication between Opphound and its users and must be confirmed within 2 days of opening an account.
Password resets and email confirmations are performed through the creation of unique tokens that are generated at the request of the user. The tokens are sent to the user's email address to direct them to a secure page where they can either change their password or confirm their email address.
Here are some specific points about passwords:
Here are some additional points about user accounts:
Opphound was developed with data security built in from the ground up. Data security and validation is the primary focus of the automated testing system that automatically runs a complete set of tests every time a change is released. These automated tests simulate every scenario where someone may try to access or modify the data of a customer without authorisation.
The additional benefit of automated testing is it allows us to make changes to Opphound and have the confidence that the changes do not have a negative impact on security.
Opphound uses the strongest levels of encryption available to encrypt data that is transferred between our servers and our customer’s devices. The encryption protocol used is TLS 1.2 with RSA 2048 (SHA256) with some backwards compatibility with TLS 1.0 to support older devices. To ensure that our encryption is correctly configured, we use certificates issued by Amazon Web Services.
As an assurance check we use the independent automated testing service provided by Qualys SSL Labs (www.ssllabs.com) where Opphound.com receives an A+ rating.
Opphound leverages the global size of Amazon Web Services (AWS) to provide highly scalable, reliable infrastructure. The primary components are:
All of these components are hosted in the secure AWS facilities in California.
Like many modern applications, Opphound is built on a range of open source technologies that are maintained by thousands of developers around the world. The benefit of this approach is a high degree of transparency and independent scrutiny. If any vulnerabilities are identified they are quickly reported and patches are released. The primary components of the Opphound application stack are:
To ensure that credit card information is stored in compliance with the Payment Card Industry (PCI) requirements, Opphound uses the services of a third party payments processing company called Stripe. When a customer subscribes to Opphound, their credit card details are sent directly from their device to the Stripe servers where they are securely stored. At no stage does Opphound receive, transmit or store these details. Stripe is a global payments processing company with a presence in over 25 countries and handles billions of dollars in payments each year covering a multitude of currencies.
The Opphound instances are updated and replaced on a weekly basis to ensure that the application and all its dependencies are always on the latest versions. This reduces our exposure to vulnerabilities as we are constantly implementing bug fixes as they are released. These maintenance activities happen without any downtime on Opphound.
Backups of customer data in the database are performed daily and the entire Opphound code base is maintained under configuration control (Git) and backed up away from the Opphound premises.