How we keep your information secure
Security is of utmost importance at PickFu. This page outlines our current practices as of April 17, 2021.
Business and HR information
PickFu currently employs 14 people. From time to time, we may employ additional consultants. Anyone who works with PickFu directly or as a consultant must sign non-disclosure and security best practices agreements.
The PickFu organization is fully remote with no physical offices. Employees are not required to work at any given location. Some of the countries where we have employees include the following: USA, Canada, Mexico, Philippines, Brazil, Argentina. As a remote organization, we keep all records digitally.
All digital information is stored in the cloud using established business-grade software providers, including, but not limited to, Google, Amazon (via Heroku; see below), Asana, Slack, etc. The team has no access to physical servers and no access to data centers. With cloud storage, data may be geographically dispersed, depending on the implementation of the cloud provider.
Computer and physical security
Depending on their employment status, employees use a combination of work-issued and personal devices. For directly employed team members, PickFu maintains a list of company-owned inventory.
- Spyware and anti-virus software are provided for each person.
- Team members are advised to follow these practices:
- Do not use public Wi-Fi networks.
- Do not leave devices unattended or unsecured.
- Use multi-factor authentication.
- Change passwords every 6 months.
Encryption and hosting
- User passwords are hashed and encrypted before being stored. Passwords are never stored in plain text and are filtered out of our application logs.
- Access to customer data is only accessible by certain employees for whom access is necessary to do their job. These employees are made aware of our data privacy and protection policies.
- All data communication between the PickFu web application and our back-end service is encrypted with TLS. We use Automated Certificate Management provided by Let’s Encrypt.
- The PickFu web application is hosted by and served from Heroku. All data is stored in Heroku's Postgres database service. Heroku's security policy may be found here.
- Credit card information is never stored by PickFu. Credit card information is encrypted, directly transmitted to Stripe, and stored and processed via PCI-compliant procedures. Full details may be found on the Security at Stripe page. PickFu stores a token provided by Stripe to reference a customer's credit card through the Stripe API. Credit cards are never stored on PickFu servers, nor do we have access to any card number or details. This information does not pass through PickFu servers (we have no logs with credit card information). All communication with Stripe is handled over an encrypted TLS connection.
- Customer-uploaded media assets are securely transmitted to, processed by, and stored by Cloudinary, a cloud-hosted media platform. Its security policy may be found on its Trust page.
A customer's relationship with PickFu is at will, with no contract or defined engagement term. The customer can pause their use of PickFu and come back at any time. If a customer chooses to permanently close their account and delete their data, they can do so by emailing our support staff at [email protected].
- Server and application logs are retained for a maximum of one week, after which they are permanently deleted. Application analytics will be permanently deleted on request.
- When a customer requests account deletion, the customer's information and identity are scrubbed from the system.
Team members are required to undergo information security training as part of their onboarding and annually during their employment.
Compliance concerns, violations, and vulnerabilities may be reported to [email protected].