TablesReady's Security Details

Introduction

As a web application for managing customer waitlists and bookings, we recognize the importance of excellent security practices. While we are a small team, we work hard to punch above our weight on security.

This document covers our security practices and policies. If you are interested in the data we collect and store, please see our privacy policy.

General practices

  • Access to servers, source code, and third-party tools are secured with two-factor auth.
  • We use strong, randomly-generated passwords that are never re-used.
  • Employees and contractors are given the lowest level of access that allows them to get their work done. This rarely includes access to production systems or data.
  • We don't copy production data to external devices (like personal laptops).

Access control and organizational security

Personnel

Our employees and contractors sign an NDA before gaining access to sensitive information.

Firewalls, VPNs, and physical security

As a fully remote organization, we do not have a company network. We employ a "Zero Trust" security model where employees must authenticate to access TablesReady resources each time.

When employees are working from any public network, they are required to use a secure VPN.

Authentication

Initial customer sign-ups must use passwords that contain at least one upperchase character, one number, one symbol, and be at least 8 characters long.

Customers may invite other users to their account. These users are sent emails with a personalized invite link. Each team member can use that link to set up a new account with their email and password. User passwords are hashed using bcrypt before being stored. Links expire after 30 days

When a user logs in, they are given a JSON web token. The token is invalidated after 24 hours of inactivity. All further interaction with the API is done by providing an Authorization header with this token.

Encryption

All communication between the TablesReady frontend and our backend is encrypted with TLS 1.2 (or 1.3 if supported). Our backend server is managed by Heroku and uses their Automated Certificate Management service. Our domain is protected by Cloudflare and uses their end-to-end encryption. User data is stored in Heroku Postgres and details of their implementation can be found here.

Data retention/logging

Logs are stored separate from our backend infrastructure in Datadog. These logs are retained for 30 days, after which they are permanently deleted.

Customer application data is deleted 18 months after the last login by default. This can be modified to be deleted as soon as 1 day after it is created in the customer's Data Retention settings.

Software development practices

  • Code written by any developer is reviewed by at least one other person before committing.
  • The code is tested in a staging environment against a QA checklist before deploying to production.

Vulnerability and threat detection

Both the client and our backend are regularly scanned for dependencies with known security vulnerabilities. Vulnerable dependencies are patched and redeployed rapidly.

TablesReady uses Datadog's Application Security Monitoring (web application firewall) to detect and protect against threats targeting our production systems in real-time.

Hosting

Our backend server is hosted on Heroku, which runs on top of Amazon Web Services. Amazon's data center operations have been accredited under:

  • ISO 27001
  • SOC 1 and SOC 2/SSAE 16/ISAE 3402 (Previously SAS 70 Type II)
  • PCI Level 1
  • FISMA Moderate
  • Sarbanes-Oxley (SOX)

Our billing system is provided by Recurly, a PCI-compliant subscription billing platform. Stripe proccess all credit card transactions.

TablesReady's messages are sent via Telnyx and Twilio, both communications platforms-as-a-service. We have reviewed the security practices of each, both of whom are SOC 2 Type I & II certified.

Disaster recovery and backups

TablesReady makes every effort to ensure the reliability and availability of its services. However, we rely on the disaster preparedness of providers such as Cloudflare, Heroku, and Amazon Web Services to recover from major outages and other incidents.

Database backups are performed daily and maintained for 7 days and can be restored within hours.

In the event of a messaging outage at one of our providers, we are able to fail over to either Twilio or Telnyx to ensure message deliverability.

FAQs

What user data do you collect?

We do not sell or provide any of the customer or end user data to any third party, except in the course of and as necessary for providing the service.

We do collect information in Amplitude (a product analytics platform) about how users are interacting with our app so we can improve the product and provide faster, more effective support when issues arise. These events include:

  • Sign-in and sign-out events
  • Interaction with features of the app (e.g., adding parties, sending notifications)
  • Crashes and other errors

In addition, the following metadata is collected by Amplitude and Datadog:

  • The version of TablesReady being used
  • The user's operating system and browser versions
  • IP addresses

Users are identified in our system by their email address and are asked to provide a name. We don't attempt to collect any demographic information.

Are you SOC 2 or ISO 27001 certified?

While we'd eventually love to achieve these certifications, we don't hold them at this time.

Do you conduct background checks on your employees/contractors?

Yes. All employees sign an NDA and undergo a background check before starting.

What insurance do you carry?

  • $1M cyber liability (each occurrence)
  • $1M errors & omissions (each occurrence)
  • $1M commercial general liability (each occurrence)
  • $2M commercial general liability (aggregate)

Any further questions?

Great! Please email us and we'll happily update this doc.