Security

At Macabacus, security is extremely important. If you have any questions about our security practices, please contact us.

Technology

All communications with Macabacus are secure. We employ HSTS to enforce connections over HTTPS using TLS v1.2 or higher for all connections over public networks so you can be sure that your information is safe while in transit. Our web server configuration holds an A rating from Qualys SSL Labs, a leading service that analyzes many security-related web server properties for millions of websites.

Macabacus’ hardware is hosted in a SOC 2 Type 2 compliant dedicated hosting environment which limits physical access to the network and provides constant physical security. Firewalls protect and restrict communication entering the network. We also employ Microsoft’s Azure platform and the Google Cloud Platform (GCP) to provide various services. Azure holds ISO-9001 and ISO-27001 certifications, among many others. GCP holds the ISO-27001 certification as part of their compliance offerings. We hash all customer passwords before storing them in our systems so that, in the unlikely event of a breach, they cannot be read by hackers. All communication with our servers is encrypted in transit, and data on our servers is encrypted at rest.

All credit card and bank account information is handled and stored, as applicable, by our PCI Level 1 compliant payment processor and payment gateways (Stripe and PayPal). PCI Level 1 compliance is the most stringent level of certification available in the payments industry. We do not handle or store sensitive payment information.

Our software is digitally signed with a Digicert EV Code Signing certificate to provide confidence in the integrity of our software and assurance that our software has not been altered, corrupted, or otherwise compromised.

Vulnerability Testing

We periodically test our applications and infrastructure for vulnerabilities by performing third party and internal penetration tests. Macabacus currently does not have a bug bounty program in place. While we deeply value the contributions and efforts of the security community in identifying potential vulnerabilities, we have chosen to focus our resources on other security measures and initiatives at this time.

Our decision not to implement a bug bounty program is based on a thorough evaluation of our current security protocols and priorities. We are committed to maintaining the highest standards of security and continuously improving our systems through rigorous internal testing and third-party audits. We believe these measures are the most effective way to ensure the safety and integrity of our services.

We appreciate your understanding and encourage anyone who discovers a security issue to report it to our security team directly at security @ macabacus.com . Your cooperation and vigilance are crucial in helping us protect our users and their data. Thank you for your continued support and dedication to security.

PGP

Macabacus has a public PGP key to encrypt your communications with us when required. If you need to submit sensitive information to us, or otherwise need to send us a secure message please use our public key.

Internal Security

Access to sensitive information and cryptographic keys is strictly limited to those with a need to know, only. Multi-factor authentication combined with strong password controls are always used for administrative access.

Incident Response

To learn more about how we handle security incidents, please see our Security Incident Response Plan.