Security Policy
The security of your personal information and data is critical to everything that we do here at Hela. Here are some relevant details about the safeguards we have built into our technology stack.
Overview
-
The Hela app needs to know the identity of a user. Knowing a user's identity allows the app to securely save user data and provide the same personalized experience across all of the user's devices.
-
Hela Authentication integrates tightly with Firebase encryption services, and it leverages industry standards like OAuth 2.0 and SSO
-
Hela provides access control and data validation in a format that supports multiple levels of complexity. To build user-based and role-based access systems that keep your users' data safe, use Firebase Authentication with Firebase Security Rules.
-
Identify users
-
Authentication identifies users requesting access to your data and provides that information as a variable you can leverage in your rules. The auth variable contains the following information:
-
Uid: A unique user ID, assigned to the requesting user.
-
Token: A map of values collected by Authentication.
-
The auth.token variable contains the following values:
-
Field Description
-
Email: The email address associated with the account, if present.
-
Phone_number: The phone number associated with the account, if present.
-
Name: The user's display name, if set.
-
Sub: The user's Firebase UID. This is unique within a project.
Data At Rest / Infrastructure
-
Personal ID are hashed using PBKDF2 with 100k iterations and salted to make rainbow table attacks more difficult.
-
Sensitive information is encrypted using split-key encryption with partial keys held by separate employees.
-
Customer data is stored on single-tenant hardware in private networks in at least three separate geographic locations and is inaccessible from the outside world.
Data In Transit
-
Data is never sent in plaintext. All web traffic is sent over Transport Layer Security (TLS) HSTS for privacy and security.
-
Inter-data center communication protected via by Internet Protocol Security (IPsec) with AES-256.
Policies
-
Aggressive biannual encryption key rotation schedule.
-
Servers are firewalled and regularly updated with the latest security patches.
-
We follow OWASP best practices and all code is peer-reviewed before deployment.
-
For access controls, we follow principles of least privilege.