Security
Last Updated: December 21st, 2024At Referral Rocket, security and data protection are fundamental to our operations. We maintain rigorous security protocols and continuously evolve our practices to protect our customers' data and maintain the integrity of our platform.
For more information on Amazon Web Services and their security and compliance practices visit here.
View Digital Ocean Trust Certificates here.
View Stripe Security Policy here.
Passwords: We never store passwords in a way that they can be retrieved. Instead, we use a secure method called cryptographic hashing, which turns your password into a unique code that can’t be reversed back into the original password. This makes sure your password remains protected. If you ever change your key information, your session will automatically be logged out, and if you're inactive for a while, your session will expire to keep your account secure.
Monitoring: We actively monitor login attempts on all accounts to detect any unusual activity. If there are too many failed login attempts, we limit the number of attempts to protect against unauthorized access.
User Roles: Referral Rocket offers different user roles with specific permissions to make sure only the right people can access certain features. Roles can range from account owners, who have full control, to admins, users, and even more restricted roles that limit access to sensitive data, like Personally Identifiable Information (PII). This helps ensure everyone has the right level of access based on their needs.
Encryption in Transit: All data exchanged over our platform is encrypted while it's in transit. This means any information sent between you and our services is protected, ensuring privacy and security.
Encryption at Rest: We also protect sensitive information, like third-party API keys and Webhook secrets, by encrypting it at rest. We use SHA-256 encryption to securely store this data, ensuring it remains safe even if stored on our servers.
1. Infrastructure
System Architecture: Our infrastructure is built with security as its foundational principle. We implement firewall protection system that includes comprehensive IP whitelisting capabilities to ensure controlled access to our systems. We maintain constant vigilance over our network through real-time monitoring and analytics, powered by Cloudfare. These tools provide us with comprehensive insights into our system's performance and security status. Access between different services within our architecture is strictly controlled through a robust service-to-service authentication system using enterprise grade system like Keycloak. We regularly rotate access keys and maintain strict separation between configuration settings and application code to prevent security vulnerabilities.2. Data Centers
Our application infrastructure is hosted on Amazon Web Services (AWS) and Digital Ocean in secure, certified data centers. These facilities maintain the highest levels of compliance, including ISO 27001 certification, which demonstrates our commitment to information security management. Our data centers are also compliant with SOC 1, SOC 2, and SOC 3 standards, ensuring comprehensive operational and security controls. Our payment processing infrastructure is certified PCI DSS Level 1 compliant, ensuring the highest level of payment data security.For more information on Amazon Web Services and their security and compliance practices visit here.
View Digital Ocean Trust Certificates here.
View Stripe Security Policy here.
3. Security Monitoring
We maintain a proactive approach to security through continuous vulnerability scanning using industry-standard tools. Regular penetration testing is conducted by our team to identify and address potential vulnerabilities before they can be exploited. Our team continuously monitors our dependency chain for vulnerabilities, and we maintain an aggressive patching schedule to ensure all systems are updated with the latest security fixes. This includes automated security patches and updates for both our infrastructure and application components.4. Data
Data Storage: At Referral Rocket, we prioritize the security of our data by restricting access to our storage systems. Only authorized servers with the necessary permissions can access our data, and access keys are securely stored separately from our source code repository. These keys are only accessible by the systems that require them. Additionally, we keep production and testing environments completely isolated to further protect our data. For more details, please review the section our Privacy Policy. We use reliable cloud providers, including AWS and Digital Ocean, to host our infrastructure.5. Authentication
We use enterprise grade authentication system like Keycloak for authentication and authorization of our services.Passwords: We never store passwords in a way that they can be retrieved. Instead, we use a secure method called cryptographic hashing, which turns your password into a unique code that can’t be reversed back into the original password. This makes sure your password remains protected. If you ever change your key information, your session will automatically be logged out, and if you're inactive for a while, your session will expire to keep your account secure.
Monitoring: We actively monitor login attempts on all accounts to detect any unusual activity. If there are too many failed login attempts, we limit the number of attempts to protect against unauthorized access.
User Roles: Referral Rocket offers different user roles with specific permissions to make sure only the right people can access certain features. Roles can range from account owners, who have full control, to admins, users, and even more restricted roles that limit access to sensitive data, like Personally Identifiable Information (PII). This helps ensure everyone has the right level of access based on their needs.
6. Encryption
HTTPS: At Referral Rocket, we use HTTPS for all web traffic, ensuring that any communication between your browser and our services is secure. This applies to everything—from our web app to our API and public website. We also use HTTP Strict Transport Security (HSTS), which forces browsers to connect securely via HTTPS, protecting your data from potential threats.Encryption in Transit: All data exchanged over our platform is encrypted while it's in transit. This means any information sent between you and our services is protected, ensuring privacy and security.
Encryption at Rest: We also protect sensitive information, like third-party API keys and Webhook secrets, by encrypting it at rest. We use SHA-256 encryption to securely store this data, ensuring it remains safe even if stored on our servers.
