Data security

We encrypt data both in transit and at rest. We use TLS 1.2+ to secure HTTP traffic, and AES-256 to encrypt data at rest in Google Cloud Storage.

Audit logs

We maintain audit logs for our infrastructure and for key actions within the DriveKey product. Customers can access product audit logs for their organization via our API. Our logs are structured, and are retained for at least 30 days.

Secure SDLC

We consider security risks and tradeoffs from the beginning of the requirements definition and design process, through to implementation, deployment, and operations. We review for security concerns during our code review and pull request process, and we use automated scanners to detect vulnerabilities in open source dependencies.

Monitoring and alerting

We use a variety of tools for performance monitoring and error logging across our web application, data services, and background jobs. Alerts are configured to go to the appropriate on-call engineers.

Responsible disclosure policy

If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at heather@drive-key.com. We will acknowledge your email within one week.

Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.

Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the DriveKey service. Please only interact with accounts you own or for which you have explicit permission from the account holder.

While researching, we’d like you to refrain from:

• Denial-of-Service (DoS)

• Spamming

• Social engineering or phishing of DriveKey employees or contractors

• Any attacks against DriveKey’s physical property or data centers