Security Overview

Introduction

We have implemented bank-grade security (or higher) in order to protect your personal data. Your privacy and security is of paramount importance. Exirio is secure by design since day 1 without exceptions.

Encryption

Your data are encrypted to ensure that any unauthorized access cannot extract any information. Your data are encrypted both:

  • In transit: Whenever your data are in transit between you and us, everything is encrypted, and sent using HTTPS/TLS. This means that nobody can read your data while it’s being transferred between your computer and our servers. Data are encrypted using Advanced Encryption Standard (AES), also known by its original name Rijndael, a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) and the first (and only) publicly accessible cipher approved by the U.S. National Security Agency (NSA) for top secret information when used in an NSA approved cryptographic module. We use the longest possible key length in the specification: 256 bits.
  • At rest: Any Personal Identifiable Information (PII) is encrypted at rest. Other less sensitive transactional information is not encrypted but it is subject to the same protection and monitoring as the rest of our systems. Backup copies are also fully encrypted.

Authentication

Authentication can be accomplished in 2 ways:

  • Username and password: Exirio does not store your password. We only store a salted hashed version of it to authenticate you during login. This prevents a malicious attacker from extracting your original password even in the unlikely event that someone managed to get access to our users database. Having said that, other providers might not be so careful so, please, do not reuse passwords and use a password manager instead.
  • Using your social login of choice (Google, Facebook, Microsoft or LinkedIn) with HMAC authentication. This allows you to rely on these providers’ security standards including multi-factor authentication (highly recommended).

Our domains are protected with Domain Name System Security Extensions (DNSSEC) to always ensure you are communicating with us and not an impostor.

Regularly-updated Infrastructure: Hardware.

We use cloud services provided by Amazon Web Services (AWS). AWS’s data centers are certified ISO 27001, SOC 2 (Type II), PCI DSS (Level 1), FISMA, and many more.

Regularly-updated Infrastructure: Software

Our software infrastructure is updated regularly with the latest security patches: we constantly work to keep up with the state-of-the-art in web security.

Backups

Automatic backups allow us to quickly restore your data in case of data loss. These backups are encrypted.

Security Audits

Exirio is regularly audited by independent security experts. Any reasonable recommendation is implemented with the highest priority.

Constant Monitoring

We are dedicated to maintaining your account’s security on our systems and monitoring tools we’ve set up to alert us to any nefarious activity against our domains. To date, we’ve never had a data breach.

We also monitor  internal data access. If an Exirio staff wrongly accesses customer data, they will face penalties ranging from termination to prosecution.

Attack Protection

We use third-party software in order to protect us against Denial-of-Service attacks.

Privacy

We will never sell your data. We do not share your data with any third party unless required to deliver our service and it is done under strict controls and agreements.

We strictly enforce GDPR regulation.

If you decide to use a social login from a third party, we only gather name, last name, email address and picture. We don’t have access to anything else.

Whenever you want, you can download and export everything you have uploaded on Exirio. As we said, they are your data – not ours.

Bug Bounty Program

We run a Bug Bounty Program to incentivize white-hat hackers to continuously test our security. Should you encounter an exploitable vulnerability or security flaw or in our systems, contact us to report it responsibly and get your reward (defined at our discretion).

Track Record

We have processes and defenses in place to keep our streak of 0 data breaches going. While perfect security is a moving target, we constantly work to keep up with the state-of-the-art in cyber security.

Responsible Reporting

In the unfortunate circumstances someone malicious does successfully mount an attack, we will immediately notify all affected users.

Contact

Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Please let us know at  [email protected].