Security

Protecting customer data is a top priority at Delighted. We understand you are trusting us with your data and we take the responsibility of securing it extremely seriously.

While it is impossible for any system to be 100% secure – anyone that makes that guarantee is being either dishonest or naive – we work hard to keep your data safe and secure. Below is a summary of the steps we take.

Server communications

We force HTTPS for all web resources, including our public website. We also use HSTS to ensure that browsers communicate with our services using HTTPS exclusively.

Our servers are protected by firewalls and not directly exposed to the Internet. Administrative access to servers is secured by SSH authenticated by keys.

Passwords and two-factor authentication

We never store your password in a form that can be retrieved. Instead, we store an irreversible cryptographic hash using a function specifically designed for this purpose.

We provide optional two-factor authentication (we call this 2-step security) to all accounts. 2-step security affords you greater protection on your account. Once enabled, you’ll be asked for a code that we send to your mobile phone in addition to your username and password when signing into Delighted.

Additionally, we monitor and rate limit authentication attempts on all accounts.

Data storage and backups

Data stores are accessible only by servers that require access. Access keys are stored separately from our source code repository and only available to the systems that require them. Additionally, production environments are sandboxed from testing environments.

All sensitive information (including passwords, API keys, and security questions) is filtered from our server logs.

We maintain secure backups of important data for a minimum of 30 days. We do not retroactively remove deleted data from backups as we may need to restore it, if removed accidentally.

Disclosure

If you have any concerns or discover a security issue, please email us at security@delighted.com and we will quickly investigate. Optionally use our public key to protect communications. We request that you do not publicly disclose any issue you discovered until after we have addressed it.