Security policy

We take the protection of customer data extremely seriously, implementing enterprise-level security standards that keep your data protected. We are constantly monitoring and improving our services to meet the growing demands and challenges of security.

We don't like to expose too much information about our security practices - for security reasons. However, we understand that security is very important to our customers, so we decided to share the following information. As you continue to learn more about Nold we recommend you also to review our Terms of Service and Privacy Policy.

Infrastructure

• All of our services run in the cloud. We don't run our own routers, DNS servers etc...
• All of our application and data infrastructure is hosted on Amazon Web Services, a highly scalable cloud computing platform with end-to-end security and privacy features. For more details about AWS security, visit http://aws.amazon.com/security
• Our infrastructure is spread across multiple data centers and will continue to work if any one of those data centers fails unexpectedly.
• We have 2-factor authentication and strong password policies on BitBucket, AWS, Braintree and any other third-party services we use to ensure access to cloud services are protected.

Application

• All data sent to or from Nold is encrypted in transit using 256-bit encryption as our API and application endpoints are TLS/SSL only.
• All customer data is encrypted at rest including user email addresses, user passwords, billing details, API keys.
• Our public API uses OAuth authentication and allows you to generate and revoke API key-pairs.
• We have an uptime of 99.9% or higher. You can check our past month stats at https://status.nold.io.
• We are monitoring and logging our systems outside of AWS with multiple tools to accurately monitor and report on any anomaly that could impact the delivery of our services.
• We don't make changes to live code. All changes go through a development and staging phase with testing and code reviews with an automated deployment process.

Payment processing

We do not store any credit card information. We have partnered with Braintree for credit card and subscription processing. They power online transactions for thousands of business and SaaS platforms and comply with PCI standards in the storage and handling of credit card information and billing details. For more information on Braintree's security practices, please see https://www.braintreepayments.com/features/data-security

Bluetooth security

Bluetooth itself offers various security features by default, for example, the quickly changing address to prevent man-in-the-middle attacks or the AES encoding that is used for the communication between the phone and the device. Since Bluetooth(at least for now) only offers device authentication, we developed our own user authentication on top of that to make it more secure. When you activate the device, our servers generate multiple encryption keys that are written into the device and these are different for each device and each activation. Our mobile apps check and verify these keys on each connection, generating additional keys to communicate with the device. We also support firmware updates, so if we found any security issues, we can update all of our devices with secure OTA updates.

Questions

If you have any security questions or if you believe you have found a security vulnerability please don’t hesitate to contact our security team at security@nold.io