We take security with the utmost importance here at Interseller. Here's what we do to ensure we keep all of our data safe.
- All requests to Interseller including any interim connections across Interseller's infrastructure is secured with HTTPS and/or SSL. Any connection or request using unsecured protocols, like HTTP, are redirected to its counterpart or terminated.
- Interseller uses HSTS, a protocol with well-known browsers that lets them know and enforce that our website uses HTTPS and should ignore HTTP.
- All data and customer data is encrypted at rest and encrypted in transit.
- All secret keys and customer keys (e.g. integrations) are encrypted with hardware security modules (HSM) for extra protection.
- Credit cards are stored and processed security with Stripe, which is PCI Level 1 compliant.
- All data is hosted and secured in a private environment. All publicly facing endpoints and IP addresses are firewalled.
- Access to our environment requires two-factor authentication and is allowed only from well-known employee IP addresses. Access attempts are logged securly and audited perodically.
- We utilize denial of service (DOS) protection services and web application firewalls (WAF) to ensure our services are protected from attacks.
- Interseller is privacy shield certified and complies with the EU General Data Protection Regulation (GDPR).
- You can request your data to be deleted at any time which is usually processed within 7-10 days of request.
- Interseller utilizes third parties to help us with support and account management services.
- Data shared to our third parties are limited to name and email address only. Absolutely no email data is ever shared with our partners.
- Interseller periodically audits its third-parties and partners to ensure the that our customer data is kept secure.
- We enforce two-factor authentication (2FA) with all sensitive data processors such as Slack, G Suite, Intercom and Stripe.
- We utilize a password manager to secure online accounts and share them across our team.
- We go through yearly scheduled security testing including security assessments with our partners.
- All employees and contractors sign a non-discolsure agreement.
We ask for security researches to report any security exploit to firstname.lastname@example.org. Qualifying reports will be answered within 5 days and will be paid via PayPal on patch release. Reward amounts will depend exclusively on the severity of the vulnerability and has an upper limit of $750.00 USD. We do not reward researches for DOS, automated scripts, mixed-content scripts, social engineering, regular bugs, or not adhering to "best practices". Please include the following information when submitting a report:
- Technical details of the vulnerability. Please include step-by-step instructions so we can reproduce it on our side. A video is greatly appreciated.
- Scope and impact of the vulnerability including what type of data an attacker can access.