The Storecove hardware infrastructure, fully hosted by Amazon Web Services, is protected according to the PCI-DSS hardware standard, ISO 27001 certified and regularly scanned for vulnerabilities by our partner Acunetix:
Storecove runs as a web application using third-party cloud platforms. Storecove currently runs on Amazon Web Services, and our servers are located in the Europe. We may use other cloud providers that meet our security and availability needs in the future if appropriate.
All of the data exchanged in Storecove is sent over secure (TLS) connections. Our public web application runs only on HTTPS, and our internal network links (between service tiers, databases, and caches) are each encrypted at the transport layer as appropriate.
In order to provide our service, Storecove must store some of your sensitive information on our servers. We may store your API keys, credentials, or an OAuth token. We will always use a token or API key if possible, and we only store passwords if absolutely necessary for a service integration.
All of your sensitive data is stored in an encrypted format. We use open-source cryptographic libraries and standard algorithms (AES-256 for symmetric operations and RSA 4096 bit for asymmetric operations). We never write our own cryptographic code or modify existing libraries.
The data we store is also regularly backed up via our cloud providers. The backups are kept in the same format as the original data and thus requires access to our master keys to decrypt.
The keys to decrypt your data are only stored on secure subset of Storecove's servers. These keys are stored as runtime configuration, and never checked in to source code. The computers that are able to decrypt your API keys, OAuth tokens, and passwords run in an isolated application that is not accessible to the public internet. This means that if Storecove's public-facing servers are attacked, the master encryption keys will not be compromised.
Your secrets are only decrypted when they are needed to perform some operation on your behalf and the decrypted data is never written to disk or logged.
Due to the architecture of our system, it is technically possible for a Storecove employee to gain access to your secret data. As a matter of corporate policy, this kind of access is forbidden. Therefore, we have strong internal controls in place to prevent this unlikely event. We never manually decrypt your data, even when debugging issues with our systems or with third parties. We've built a suite of internal tools that allow an operator to perform actions using your secret data without actually logging in to our secure fleet.
A limited set of Storecove employees have access to the secure fleet and the master encryption keys - this access is only granted to employees for whom it is absolutely necessary. Third-parties or contractors will never gain access to Storecove's secure hosts or master keys. All internal access to all of Storecove's systems (secure or otherwise) is logged and audited.
Like other web applications, Storecove creates and collects application logs that track what our servers are doing on each request. These logs are used to find and fix bugs in Storecove and to help us monitor the performance and uptime of the application. We have comprehensive filtering in place to ensure that no sensitive data is logged.
Storecove uses modern web frameworks and follows those frameworks' best practices for securing access. We monitor for bugs and security patches in all the systems we use and apply updates religiously. In addition, we've engaged external security firms to perform penetration tests and source code audits on Storecove's systems, and we will continue with those tests and audits regularly in the future.
We want to hear from you! We're grateful for security researchers who practice responsible disclosure. Please contact us at firstname.lastname@example.org with the details of the problem you've found. We treat these reports as our highest priority and we'll get back to you immediately. And we promise not to seek legal action against those who fully disclose security issues to Storecove and do not maliciously exploit those vulnerabilities.