Bidali Security PolicyLast updated on May 14th, 2020
Bidali Inc. ("Bidali") uses bank grade security systems and data encryption to protect you and your data. The following controls are in place to guard against any unauthorized access to your personal or financial information. If you suspect that there has been any unauthorized activity on your account, please contact us immediately at email@example.com.
We employ tiered, role-based access controls that are enforced at each layer of our infrastructure. Multi-factor authentication is required for access to Bidali infrastructure and is limited to employees on a "need to know" basis.
All Bidali access credentials are strong, rotated regularly, are encrypted locally and are managed by one of the world's leading password management systems. Due to the length and randomness of our passwords, team members typically do not know their actual credentials. This reduces the likelihood of a third party's ability to guess, bruteforce or coherce people into giving up their passwords. We also have monitoring in place to track management and usage of these credentials.
All application and user access logs are stored centrally and monitored. Strong passwords are required for every user account. All passwords are cryptographically hashed using modern, proven standards.
All communication between Bidali's public facing websites and our APIs occur over HTTPS or Websockets encrypted using TLS and generally require API key authentication. All data is encrypted at rest within our data centres.
We do not share client data, our TLS private key or access to our TLS private key with any third parties or vendors.
We leverage the content-security policy (“CSP”) and HTTP Strict Transport Security (“HSTS”) features in modern browsers.
Redundancy and Availability
We strive to provide 100% uptime. You can view our system status here.
Our servers and data are hosted on Google Cloud Platform ("GCP") - one of the world's leading cloud service providers. Our infrastructure is deployed in multiple regions with redundancy for high availability, with regular backup and system monitoring strategies in place. These data centres employ strict security clearance, access and monitoring, and have alternative power backups in the event of power failure. More information on GCP security can be found here.
To protect against the event that a key team member is unable to perform their duties, we employ similar redundancy tactics within our team. Multiple people are always trained on how to perform critical business operations.
All the components that comprise the Bidali platform are regularly run through a rigorous automated testing suite as well as manual regression testing prior to being available for public use. Internal and external network penetration tests are also routinely performed.
The Bidali APIs only allow client requests using strong TLS protocols and ciphers. All communication between Bidali's public facing websites and our APIs occur over HTTPS or Websockets encrypted using TLS and in general require API key authentication.
All of our cloud infrastructure is distributed geographically and resides in an environment that utilizes network address translation (NAT) with strict firewall rules.
Rate-limiting is applied to certain account operations such as login attempts to thwart brute force attacks.
We partner with enterprise vendors to mitigate potential distributed denial-of-service (“DDoS”) attacks.
We operate a bug bounty program. If you think that you have found a security issue, please submit a report to us at firstname.lastname@example.org. You may choose to remain anonymous. Please sign any anonymous email with your publicly verifiable PGP key. We take all reports seriously, please do not publicly disclose the issue until we've addressed it.
We hold bank accounts with ATB Financial - a top tier, government owned, Canadian financial institution that guarantees deposits. All transactional funds are stored in segregated accounts that are separate from accounts used for our day-to-day operations.
Bidali only custodies its own crypto-assets that it has received in exchange for goods and services that Bidali provides directly to its customers. Bidali does not escrow, hold or custody crypto-assets on behalf of our customers or any other parties.
If you have any questions or concerns feel free to contact email@example.com.