Security and Performance
Keeping you and your status page subscribers safe.
Section 1
Product Security
All the features you need to keep your status page, team members and subscribers secure.
- SSL / HTTPS
In addition to our application and API, we also provide each status page with a free TLS certificate, even when using your companies own domain name. Let’s Encrypt issue and automatically renew these certificates on our behalf.
Help: Setting Up SSL- Password Policies
By default, we don’t enforce password policies, as if used poorly, they may, in fact, harm security, causing users to write them down if they’re hard to remember.
- Password Storage
All passwords are one-way encrypted when stored in the database, and the database itself encrypted at rest, to ensure the original password can never be compromised.
- SSO with Google & SAML
You can sign in to your Sorry account using Google, or a SAML provider of your choice. You can also ease the management of your team with just-in-time provision of new team members and single log-out.
- Roles & Permissions
We have a straightforward but practical approach to roles, ensuring that only the account owner can perform the most destructive activities, and only nominated team members can invite other people.
Got a security feature suggestion? We’d love to hear it.
Section 2
Network & Internal Security
Behind the scenes, we work hard to ensure that each piece of our infrastructure is secure.
Encryption
We encrypt all traffic to and from Sorry over HTTPS. Sensitive data such as email addresses and passwords are also encrypted when stored in the database.
The database files themselves are encrypted at rest on the file-system, as are any backups.
Password Management
Internally we use password managers like 1Password and LastPass to ensure that all passwords used by the team are complex and unique.
2FA Provider Logins
All critical infrastructure services, such as Herokuand AWS, are secured using 2FA, as an added layer upon the unique passwords.
Vulnerability & Pen-Testing
We run regular automated scans of our product using Intruder to help us identify potential vulnerabilities. We also make reporting a vulnerability easy for those who find them, with a dedicated mailbox.
Backups & Data Retentions
We run point-in-time style backups, allowing us to rollback data to any point over the past few days.
We also perform snapshot style backups on a nightly basis, again stored for about a week.
Section 3
Change Management
As a growing and agile business, we often deploy changes multiple times per day; this is how we keep things reliable.
- Regular, Small Changes
Making these small incremental changes, rather than substantial, weekly, monthly or quarterly releases, actually helps us minimize the risk of breaking something.
- Automated Testing
All changes released goes through our continuous integration pipeline, where we run 1000+ automated tests before deployment.
Post-release, we regularly test the application using automated tests from Ghost Inspector, which simulates everyday tasks, looking for errors.
- Version Control
We store all code in version-control with GitHub, this helps maintain a comprehensive audit of all changes, to make the diagnosis of issues more straightforward.
- Instant Rollbacks
We can quickly rollback a change after release if we find an issue, meaning we can speedily mitigate newly introduced bugs while we investigate the real cause.
Section 4
Incident Response
It’s our business, so we take it seriously.
- Monitoring
Early detection of issues is key to a good response. We use both Pingdom and NewRelic to monitor the application regularly, not only for the accessibility of particular endpoints but also performance thresholds such as load times and the length of background queues.
- Bug & Error Reporting
We track all errors in Sentry & NewRelic, which makes our diagnosis of issues when they arise a much quicker task.
- Alerting
We use PagerDuty to alert team members when our monitoring services spot an issue, ensuring that the alert gets to someone, even if they’re busy, or asleep in the middle of the night.
- Post-Incident Investigation
After incidents happen, we deep-dive into them, not only to understand what caused them but also assess how we could respond better next time around.
- Keeping You Notified
All of our customers are automatically subscribed to our status page, to receive notifications about incidents affecting the parts of our product they use..
We try our best to use honest and straightforward language to describe the issue, take responsibility for what’s happening, explain what’s broken, and set your expectations for when we’ll have it fixed.
Our “best practices” for incident response are available in our free guide Weathering the Storm.
Compliance
All the features you need to keep your status page, team members and subscribers secure.
We fully comply with GDPR, and also provide some features to help you stay compliant yourself when collecting subscriber information.
We’re regularly tested by Intruder to ensure we remain OWASP compliant, protecting against the most common vulnerabilities such as Injection, Broken Authentication and Cross-Site Scripting.
We are Cyber Essentials certified by the UK National Cyber Security Centre (NCSC).