Security and Performance

In addition to our application and API, we also provide each status page with a free TLS certificate, even when using your companies own domain name. Let’s Encrypt issue and automatically renew these certificates on our behalf.

By default, we don’t enforce password policies, as if used poorly, they may, in fact, harm security, causing users to write them down if they’re hard to remember.

All passwords are one-way encrypted when stored in the database, and the database itself encrypted at rest, to ensure the original password can never be compromised.

You can sign in to your Sorry account using Google, or a SAML provider of your choice. You can also ease the management of your team with just-in-time provision of new team members and single log-out.

We have a straightforward but practical approach to roles, ensuring that only the account owner can perform the most destructive activities, and only nominated team members can invite other people.

We encrypt all traffic to and from Sorry over HTTPS. Sensitive data such as email addresses and passwords are also encrypted when stored in the database.

The database files themselves are encrypted at rest on the file-system, as are any backups.

Internally we use password managers like 1Password and LastPass to ensure that all passwords used by the team are complex and unique.

All critical infrastructure services, such as Herokuand AWS, are secured using 2FA, as an added layer upon the unique passwords.

We run regular automated scans of our product using Intruder to help us identify potential vulnerabilities. We also make reporting a vulnerability easy for those who find them, with a dedicated mailbox.

We run point-in-time style backups, allowing us to rollback data to any point over the past few days.

We also perform snapshot style backups on a nightly basis, again stored for about a week.

Making these small incremental changes, rather than substantial, weekly, monthly or quarterly releases, actually helps us minimize the risk of breaking something.

All changes released goes through our continuous integration pipeline, where we run 1000+ automated tests before deployment.

Post-release, we regularly test the application using automated tests from Ghost Inspector, which simulates everyday tasks, looking for errors.

We store all code in version-control with GitHub, this helps maintain a comprehensive audit of all changes, to make the diagnosis of issues more straightforward.

We can quickly rollback a change after release if we find an issue, meaning we can speedily mitigate newly introduced bugs while we investigate the real cause.

Early detection of issues is key to a good response. We use both Pingdom and NewRelic to monitor the application regularly, not only for the accessibility of particular endpoints but also performance thresholds such as load times and the length of background queues.

We track all errors in Sentry & NewRelic, which makes our diagnosis of issues when they arise a much quicker task.

We use PagerDuty to alert team members when our monitoring services spot an issue, ensuring that the alert gets to someone, even if they’re busy, or asleep in the middle of the night.

After incidents happen, we deep-dive into them, not only to understand what caused them but also assess how we could respond better next time around.

All of our customers are automatically subscribed to our status page, to receive notifications about incidents affecting the parts of our product they use..

We try our best to use honest and straightforward language to describe the issue, take responsibility for what’s happening, explain what’s broken, and set your expectations for when we’ll have it fixed.

Our “best practices” for incident response are available in our free guide Weathering the Storm.

We fully comply with GDPR, and also provide some features to help you stay compliant yourself when collecting subscriber information.

We’re regularly tested by Intruder to ensure we remain OWASP compliant, protecting against the most common vulnerabilities such as Injection, Broken Authentication and Cross-Site Scripting.

We are Cyber Essentials certified by the UK National Cyber Security Centre (NCSC).

We have completed a full security assessment with Risk Ledger, removing the need for security questionnaires being completed.