SECURITY

Our Security Measures

We take security very seriously. If you find a security flaw in one of our applications, please report it immediately to mail@secure.assembl.net, and we will take care of it ASAP. If you believe your bug is very urgent, please call us at +1 (307) 459-4590.

Here, we detail our basic tech stack, and what precautions we take to safeguard your privacy and data security.

Tech stack

Application layer

As we build web-apps, our applications are written almost entirely in Javascript, with small pieces of infrastructure written in Python and C++.

  • Applications: React and Next.js
  • API: Node.js and Express.js
  • Serverless functions: Javascript and Python on AWS Lambda

Infrastructure layer

Our infrastructure layer primarily runs on Amazon Web Services (AWS), with light use of Firebase and Netlify.

  • Website: A static Next.js site running on Netlify.
  • Newsletter: Sent via AWS SES and administered using Mailblast.io.
  • Web-app: A Next.js PWA running in Docker on AWS ECS, with CI/CD through BitBucket Pipelines.
  • API: An Express.js API running in Docker on AWS ECS, with CI/CD through BitBucket Pipelines.
  • User accounts: We use Firebase (on Google Cloud) for user authentication, and Firestore to store user data (like billing status and name).
  • Stored data: If you opt for us to store data like your Assembl certificates and timestamped files, your data will be stored in an encrypted AWS S3 bucket, with regular doubly-encrypted backups to S3 Glacier and Backblaze, in different availability zones.
  • Billing: Stripe integrated with webhooks processed by Firebase Functions.

Data transmitted to our servers

  • Your user information (your email, name, sign up date, and the last time you signed in).
  • Your billing status. (Not your payment details, just whether or not you have paid for a subscription. We delegate all payment data to Stripe, a PCI DSS compliant payment provider, also used by large companies like Google and Amazon).
  • Hashes of your timestamped data, which are also stored on the public Stellar blockchain. A hash is an anonymous, non-traceable fingerprint of the data you timestamp or send through Assembl applications. If you have the data that went into a specific hash, you can verify that it matches, but not the other way around. All that anyone else sees is a random string of numbers and letters, like "50d858e0985ecc7f60418aaf0cc5ab587f42c2570a884095a9e8ccacd0f6545c", which is the SHA256 hash of "example".
  • Data you ask Assembl to store. This data is stored in an encrypted AWS S3 bucket, and backed up to Backblaze and S3 Glacier.
  • Minimal analytic data. We don't use invasive analytics that track you across websites, but we do use basic, privacy preserving in-page analytics from GoatCounter. GoatCounter does not track your personal data, just attributes like your browser and screen size.

Encrypted data transfer with Databeam

Databeam uses the fantastic open-source WebTorrent library in the backend. WebTorrent is a port of the BitTorrent standard to WebRTC (a browser feature present in Firefox, Google Chrome, Opera, Brave, Edge and Safari, used by web-apps like Google Hangouts). When you transfer your data using Databeam, absolutely none of the data you're transferring ever touches our servers, and the data is encrypted in-transit, using TLS/SSL.

We're serious about keeping your data safe, and Databeam's decentralized design ensures that there are no single points of failure a hacker could use to read the data you're transferring. To be extra sure that your data remains safe, you can use software like Cryptomator or GnuPG to encrypt it to your recipient beforehand. This will give you a rock-solid layer of security.

© 2020 Assembl Inc. All rights reserved.