Bidali Security PolicyLast updated on February 19th, 2019
Bidali Inc. ("Bidali") uses bank grade security systems and data encryption to protect you and your finances. The following controls are in place to guard against any unauthorized access to your personal or financial information. If you suspect that there has been any unauthorized activity on your account, please contact us immediately at firstname.lastname@example.org.
We employ tiered, role-based access controls that are enforced at each layer of our infrastructure. Multi-factor authentication is required for access to Bidali infrastructure and is limited to employees on a "need to know" basis.
All Bidali access credentials are strong, rotated regularly, are encrypted locally and are managed by one of the world's leading password management systems. Due to the length and randomness of our passwords, team members typically do not know their actual credentials. This reduces the likelihood of a third party's ability to guess, bruteforce or coherce people into giving up their passwords. We also have monitoring in place to track management and usage of these credentials.
All application and user access logs are stored centrally and monitored. Strong passwords are required for every user account. All passwords are cryptographically hashed using modern, proven standards.
All communication between Bidali's public facing websites and our APIs occur over HTTPS or Websockets encrypted using TLS and generally require API key authentication. All data is encrypted at rest within our data centres.
We do not share client data, our TLS private key or access to our TLS private key with any third parties or vendors.
We leverage the content-security policy (“CSP”) and HTTP Strict Transport Security (“HSTS”) features in modern browsers.
Redundancy and Availability
We strive to provide 100% uptime. You can view our system status here.
Our servers and data are hosted on Google Cloud Platform ("GCP") - one of the world's leading cloud service providers. Our infrastructure is deployed in multiple regions with redundancy for high availability, with regular backup and system monitoring strategies in place. These data centres employ strict security clearance, access and monitoring, and have alternative power backups in the event of power failure. More information on GCP security can be found here.
To protect against the event that a key team member is unable to perform their duties, we employ similar redundancy tactics within our team. Multiple people are always trained on how to perform critical business operations.
All the components that comprise the Bidali platform are regularly run through a rigorous automated testing suite as well as manual regression testing prior to being available for public use. Internal and external network penetration tests are also routinely performed.
The Bidali APIs only allow client requests using strong TLS protocols and ciphers. All communication between Bidali's public facing websites and our APIs occur over HTTPS or Websockets encrypted using TLS and in general require API key authentication.
All of our cloud infrastructure is distributed geographically and resides in an environment that utilizes network address translation (NAT) with strict firewall rules.
Rate-limiting is applied to certain account operations such as login attempts to thwart brute force attacks.
We partner with enterprise vendors to mitigate potential distributed denial-of-service (“DDoS”) attacks.
We operate a bug bounty program. If you think that you have found a security issue, please submit a report to us at email@example.com. You may choose to remain anonymous. Please sign any anonymous email with your publicly verifiable PGP key. We take all reports seriously, please do not publicly disclose the issue until we've addressed it.
We hold bank accounts with ATB Financial - a top tier, government owned, Canadian financial institution that guarantees deposits. All merchant funds are stored in segregated accounts that are separate from accounts used for our operations.
While we verify, escrow, and exchange cryptocurrency used during transactions on our platform ("In Transit") we hold custody of this cryptocurrency for brief periods of time in order to process transactions efficiently and securely.
The period of time we are in custody of cryptocurrency while In Transit varies based on the confirmation times of distributed ledgers and depends on the final settlement currency. Typical time frames vary from seconds to days.
Cryptocurrency In Transit is first received in one of our secure "hot wallets" and then, based on a merchant's settlement preference, is sent to reputable exchanges or OTC trade desks in order to perform exchanges. Our hot wallets reside on servers that do not have inbound internet access and the private keys used to sign transactions are encrypted. In order to minimize counter-party risk, the time that cryptocurrency is with an exchange or OTC desk is kept to a minimum.
We are constantly working to minimize our exposure to these assets while In Transit so that your currency is always yours, whether that be fiat or cryptocurrency. This reduces our liability, improves your liquidity and reduces your counter-party risk with us.
While in our custody your funds are never loaned out or used to invest in cryptocurrency.
If you have any questions or concerns feel free to contact firstname.lastname@example.org.