Rather than building security-critical components by ourselves
we use industry-proven, secure components and infrastructure
from experts, including:
Rather than managing our own infrastructure we use hosting services and database services from the Google Cloud Firebase Platform. While outages and data loss could can happen on the Google maintained infrastructure, they would be much more likely if one maintained one’s own infrastructure. The Google Cloud Firebase platform also has a number of certifications, like ISO 27001, SOC 1, SOC 2 and SOC 3 etc. as well.
We do store email addresses, and potential profile pictures, in our Firebase database as this is necessary for Trune to work as intended. However, we do NOT manage any other personal data. For instance, passwords for email authentication are securely stored in the Google Firebase Authentication Service and we use an industry-proven third-party component to handle registration, authentication, password reset procedures, the email verification process, etc.
We have implemented an authorization system in Trune to ensure a user can only access the data that they should. For additional security we even go one level further: we have structured the data in two collections. The registeredUsers collection contains for each user a separate object with user relevant information and only the authenticated user can read/write their own object. The teams collection contains all data for a team, like team info, templates, sessions, cards, action items, etc. Only users who have joined the team and, if enabled, also guest users can read/write team information. Based on this data structure. We have built a second layer of security on the backend by using a simple set of Firebase security rules.
We could not deal with all the complexity and necessary procedures to ensure every new piece of code or the self-managed infrastructure is as certified and secure as it would be in a trusted IT landscape. Therefore, we leave these security-critical topics to leading companies that spend billions of dollars to ensure data security.
And the best part: our developers have more time to focus on Trune.
2FA is mandatory for all employees with access to production services
All connections are encrypted using SSL/TLS technology
Integration component secured and maintained by Stripe team
Integration component maintained by Firebase and Mailchimp team
Every single read/write request has to pass a manageable rule set
Credit card numbers are not stored in Trune but securely with Stripe