Security

At Macabacus, security is extremely important. If you have any questions about our security practices, please contact us.

Technology

All communications with Macabacus are secure. We employ HSTS to enforce connections over HTTPS using TLS v1.2 or higher for all connections over public networks so you can be sure that your information is safe while in transit. Our web server configuration holds an A rating from Qualys SSL Labs, a leading service that analyzes many security-related web server properties for millions of websites.

Macabacus’ hardware is hosted in a SOC 2 Type 2 compliant dedicated hosting environment which limits physical access to the network and provides constant physical security. Firewalls protect and restrict communication entering the network. We also employ Microsoft’s Azure platform and the Google Cloud Platform (GCP) to provide various services. Azure holds ISO-9001 and ISO-27001 certifications, among many others. GCP holds the ISO-27001 certification as part of their compliance offerings. We hash all customer passwords before storing them in our systems so that, in the unlikely event of a breach, they cannot be read by hackers. All communication with our servers is encrypted in transit, and data on our servers is encrypted at rest.

All credit card and bank account information is handled and stored, as applicable, by our PCI Level 1 compliant payment processor and payment gateways (Stripe and PayPal). PCI Level 1 compliance is the most stringent level of certification available in the payments industry. We do not handle or store sensitive payment information.

Our software is digitally signed with a Digicert EV Code Signing certificate to provide confidence in the integrity of our software and assurance that our software has not been altered, corrupted, or otherwise compromised.

Vulnerability Testing

We periodically test our applications and infrastructure for vulnerabilities by performing third party and internal penetration tests. In addition to periodic penetration testing, we have ongoing vulnerability disclosure and reward programs where our security is evaluated on a continuous basis by security researchers who are financially rewarded based on vulnerabilities they identify. If you believe you have found a vulnerability, please let us know (optionally use our public PGP key).

Macabacus’ security team investigates all reported vulnerabilities immediately, and will respond to reports as quickly as possible. We recognize that security research requires much time and effort, and as a result have set up a reward system for responsible security researchers that confidentially disclose vulnerabilities to us for the first time, and that allow us adequate time to remedy such vulnerabilities before disclosing them publicly. Reports are eligible for a reward if they are verified to affect the confidentiality or integrity of our user’s data. We do not reward disclosures that are not design or implementation vulnerabilities, such as spam, phishing, social engineering, brute force attacks, or denials of service.

PGP

Macabacus has a public PGP key to encrypt your communications with us when required. If you need to submit sensitive information to us, or otherwise need to send us a secure message please use our public key.

Internal Security

Access to sensitive information and cryptographic keys is strictly limited to those with a need to know, only. Multi-factor authentication combined with strong password controls are always used for administrative access.

Incident Response

To learn more about how we handle security incidents, please see our Security Incident Response Plan.