Security Policy

This Security Policy describes Reverse Contact's security program and the technical and organizational controls in place to protect customer data from unauthorized use, access, disclosure or theft, and to safeguard the Reverse Contact services. As security threats evolve, Reverse Contact continues to update its security program and strategy. Reverse Contact reserves the right to update this Security Policy from time to time, provided that any update will not materially reduce the overall protections described herein.

Security Program

Reverse Contact maintains a risk-based security assessment program. The framework includes administrative, organizational and technical safeguards designed to protect Reverse Contact services and the confidentiality, integrity and availability of customer data. The security program is intended to be appropriate to the nature of the services and the size and complexity of Reverse Contact's business operations.

Confidentiality

All Reverse Contact employees and contract personnel are bound by contractual agreements and internal policies regarding the confidentiality of customer data, and are contractually obligated to comply with these obligations.

People Security

All Reverse Contact employees must complete a security and privacy training covering Reverse Contact security policies, security best practices and privacy principles.

All application passwords must be saved in a password manager. Each service must have its own unique password. Where available, two-factor authentication (2FA) must be enabled — using a physical key where possible, or otherwise a 2FA application. SMS-based 2FA is not permitted.

Third-Party Vendor Management

Vendor Assessment

Reverse Contact may use third-party vendors to provide certain services. Before engaging with any prospective vendor, Reverse Contact carries out a security risk-based assessment to validate that the vendor meets Reverse Contact's security requirements.

Vendor Agreements

Reverse Contact enters into written agreements with all of its vendors. These agreements include confidentiality, privacy and security obligations that provide an appropriate level of protection for any customer data those vendors may process.

Hosting Architecture and Data Segregation

Google Cloud Platform

The Reverse Contact services are hosted on Google Cloud Platform (GCP) in Belgium. Customer data stored within GCP is encrypted at all times. GCP does not have access to unencrypted customer data. More information about GCP security is available at https://cloud.google.com/docs/security/overview/whitepaper.

Databases

Databases are not open to the public. Any connection from a disallowed IP address is rejected. Only connections from within Reverse Contact's internal network (on Google Cloud or on the Tailscale network) are permitted.

Where possible, data is pseudonymized — in particular, data related to email verifications. Pseudonymization prevents data from being exploited in the event of a breach. OAuth and refresh tokens are stored encrypted using the aes-256-cbc algorithm. Passwords are stored encrypted using the bcrypt function.

Services

All network access between production hosts is restricted, using access control lists to allow only authorized roles to interact within the production network. Access control lists are used to manage network segregation between different security zones in both production and corporate environments, and are reviewed regularly.

Security by Design

Reverse Contact follows security-by-design principles when building its services. This includes performing internal security reviews before deploying new services or code, conducting penetration tests of new services by independent third parties, and running regular scans to detect potential security threats and vulnerabilities.

Access Controls

Provisioning Access

To minimize the risk of data exposure, Reverse Contact follows the principle of least privilege through a role-based access control model when provisioning system access. An employee's access to customer data is promptly removed upon termination of their employment.

To access the production environment, an authorized user must have a unique username, a password and multi-factor authentication enabled. Reverse Contact logs high-risk actions and changes in the production environment. By default, links holding data (password reset, email change, email validation, etc.) are encrypted using the aes-256-cbc algorithm. Automation is used to detect any deviation from internal technical standards, including malicious usage.

Password Controls

Users cannot create an account on Reverse Contact using a compromised password from the haveibeenpwned.com database.

Logs

The following actions are logged:

On Google Cloud Logging, every HTTP request is recorded.

Every sensitive user action is stored in the database.

Every support agent action is stored in the database.

Vulnerability Management

Reverse Contact maintains controls to mitigate the risk of security vulnerabilities by using a third-party tool to conduct regular vulnerability scans across its infrastructure and systems. Critical software patches are evaluated, tested and applied proactively.

Customer Data Backups

Reverse Contact performs the following backups of its data:

On-site backups managed by Google, performed daily, encrypted at rest through the Advanced Encryption Standard (AES) algorithm. Further information is available at https://cloud.google.com/docs/security/encryption/default-encryption.

On-site backups managed by Reverse Contact, performed daily, stored in a Google Cloud Storage (GCS) bucket and encrypted at rest via GCS. Further information is available at https://cloud.google.com/docs/security/encryption/default-encryption.

Off-site backups managed by Reverse Contact, performed weekly, encrypted through the age algorithm.