Security

Tinfoil Security needs a lot of information about you and your sites in order for us to do our job properly, and we value your security as much as you do. We understand that protecting your privacy and security is absolutely vital in maintaining the trust you place in us, and so we strive to take every possible step towards achieving exactly that.


How do we protect you?

Tinfoil Security runs a number of services to power its platform, all hosted on third party cloud providers. Our website is hosted on Heroku. Our other services run on Heroku, Amazon Web Services (AWS) and Rackspace.


The website uses HSTS to force a secure TLS connection with our users, while additionally employing the use of mutually authenticated TLS for communications between all of our other services.


We encrypt or hash all of your sensitive information before storing it. In the case of passwords, we hash the data using bcrypt, with a unique salt. Conversely, when dealing with retrievable data like API keys, we encrypt them using AES-256, in CBC-mode, with securely generated, unique IVs and salts.


We support one secure method of payment on our website: credit card payments via Stripe. We never collect your credit card information, and instead securely pass the information to our payment provider. As a result, we cannot access your credit card information, as it never passes through our servers.


Signing Keys

Tinfoil Security signs its open source Ruby gems in order to protect you from falling prey to malicious code being inserted into libraries we write. Our public certificate is included within our gems, and also included here for posterity.


Disclosure

If you believe you've found a vulnerability in any Tinfoil Security software, we'd love to hear about it! We take our own security very seriously, and will investigate all potential security issues brought to our attention. We'll even send you some sweet Tinfoil swag for helping us out!

If you're comfortable with PGP, you can email us securely using the PGP key to the right. Otherwise, contact us using our Keybase account, and they'll handle the encryption for you. Our only request is that you refrain from publicly disclosing any issues until they've been addressed by our security team.

Fingerprint: 5139 163F 10A2 3C6C D713 B8C7 2197 6F6E 50B9 444B
Size: 4096 Bits
ID: 50B9444B