Security and Privacy
Backup File Security
Backup files are not encrypted. Your data is stored internally in the device as a SQL database. When you backup, the device compresses your data along with some XML formatted settings files. We should treat the backup file as an equivalent of a plain text spreadsheet containing all the business data. The backup files are not intended to be secure, and anyone with access to the file and time to interpret the data format can read the data.
Online Backup Security
Online Sync is encrypted end to end. That is, from your device to the server we use an SSL connection and HTTPS. Any non-secure connections (HTTP) are redirected by the server to avoid sending your data as cleartext. This was important to us and we had to apply to the United States BIS (Bureau of Industry & Security) for a licence to allow encrypted data from our app to leave your device. We are using a standard 2048 bit public key coupled with standard AES-256 symmetric encryption in the link. The device expects an encrypted connection, and will check the certificate it receives from the server to make sure the connection has been made to our servers.
For the servers, our architecture is such that all connections reach a load balancer first. This machine contains the SSL certificate and decrypts the data entering and leaving. On the other side of the load balancer are a number of web servers that service the requests your device may make, such as uploading a change, or requesting a download of your data. Each of these web servers connect to a common back-end database running on a dedicated machine. All machines are hosted in Amazon's EC2 cloud computing platform and based in the U.S.
The internal network connections (between the load balancer, the web servers and the database server) are inside the data-centre, not available on the Internet and are not encrypted.
Backups of the database are scheduled each day and the backup file is moved to one of the web servers over the internal network. Backup files older than one week are deleted automatically. Should a backup file be needed, it can be transferred back to the database server over the internal network. If this backup is ever needed on a machine outside the network, it will be encrypted and transferred using SCP (over an SSH tunnel).
Connecting to the web servers requires the use of a private key, which is held securely here at Geode. No shell connections can be made without the key. Our computers use encryption to lock down the files in our user folders which is a safeguard against physical theft. Connecting to the database is only possible from the web servers and from one other single IP address. Once the connection is made, authentication is made up of a username and a long randomly generated password.
Security was designed in from the beginning, and I hope that helps to explain how we did it.
We don't enforce a strict password policy, when you register for Online Syncing we create a random passcode and send it to you by email. You can change your passcode on the site once you have logged in but we recommend avoiding simple words that would appear in a dictionary. A mixture of upper and lower case letters, numbers and symbols is the best advice we could give for a strong password.
We don't store your password in the database, instead we store a cryptographic hash. This is designed so nobody, not even ourselves know what your passcode is. When you log in, we re-hash the passcode you supply and see if it matches the hash we have stored. We think we have done all we can to secure the database, and this is just an extra step to guard against your pass-codes becoming publicly available should the database ever escape our control.