Work for Impact’s users trust us with many projects and ideas every month. As a company, we are committed to meeting their data protection and data security needs. This page presents an overview of our practices and policies, which help us keep your personal information safe and secure. We will expand and update this information as we make new security improvements to our platform.
We employ a dedicated security specialist to oversee and upgrade our technical, operational, and organizational measures to protect the users, assets, and employees against unauthorized or accidental data access, loss, alteration, disclosure, or destruction. Our security specialist also ensures that we comply with industry-standard privacy and security measures and all applicable data privacy and security laws and regulations.
We maintain a strict password policy across the organization. Every employee uses a password manager, and we regularly check the passwords for security. We also use multi-factor authentication and single sign-on services wherever possible.
We store customer data in multi-tenant storage systems. The users can't directly access the underlying application infrastructure. Access to sensitive data is role-based (on a "need to know" basis), only for specific purposes.
A limited number of trained employees have access to the products and customer data via controlled interfaces. Employees are granted access by role, and we log all such access requests.
We separate the development, testing, and production environments. For our cloud services, we use Google Cloud. You can read more about Google Platform security here.
All our team and contractors undergo privacy and security training during the onboarding process and sign confidentiality or non-disclosure agreements. Access rights permissions are reviewed periodically and they are revoked when the employee is terminated.
Preventing Unauthorized Infrastructure Access
Physical and environmental security
Our platform is hosted by Heroku, a multi-tenant, outsourced infrastructure provider. Heroku has been audited under:
- ISO 27001
- SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
- PCI Level 1
- FISMA Moderate
We undertake the following measures for maximum network security:
- Virtual Private Cloud (VPC)
- Security group assignment
- Firewall rules
- Web Application Firewall (WAF)
Testing and bug hunting
We regularly undertake penetration testing. Penetration reports are available to the users. We also run a bug bounty program and actively encourage all users to provide feedback on the platform’s performance.
All data is encrypted while in transfer and at rest. We use encryption protocols (e.g., TLS 1.2+ for transfer), and our UI is available only via a secure HTTPS connection.
We maintain logs of the system behaviour and traffic. Our team considers privacy the top priority, and they always respond swiftly to incident reports.
Tracking and response
We maintain a record of known security incidents and take appropriate steps to minimize product and Customer damage or unauthorized disclosure. In the case of an incident, we will notify our users following the Terms for Service.
Work for Impact aims at 99.9% uptime of the infrastructure. On top of that, we maintain policies and procedures to ensure that we continue to provide business-critical functions in the face of an extraordinary event. These policies include:
- data center resiliency and disaster recovery procedures for business-critical data and processing functions,
- backup and replication strategies,
- regularly tested rollbacks,
- redundancy and seamless fail-over.