Safety & Security
Effective: January 1, 2015 Last Updated: August 18, 2021
Data safety and consistency
At Woodpecker we deeply care about our Customers’ and/or User’s data security. We realize it is essential to earn your trust, that is why we do what we can to make Woodpecker the safest place possible. We implement a variety of security measures to maintain the safety of all personal information you provide us with. In this Safety & Security section, you will find information on how we protect your data and how the servers that process it are protected.
1. Hosting
Excluding off-side backup, Woodpecker is hosted on OVH’s (one of the 3 best internet hosting companies in the world) servers. Our OVH servers are located in France, we also use proxy infrastructure with servers located in Canada, the US and Australia. Also, EU customers are automatically assigned to European data storage centers. Furthermore, our hosting provider represents SSAE-16 compliance. OVH hosted servers are ISO certified (ISO 27001).
2. Security of financial transactions
Your account is protected by a password for your privacy and security. You are responsible for preventing unauthorized access to your Woodpecker account and all the personal information by selecting and protecting your password appropriately and limiting access to your computer or device and browser by signing off after you finish accessing your account. We outsource payment processing to ensure the highest standard of safety. We decided to use Braintree as one of the leading solutions regarding payment collection. To assure the safety of your sensitive/credit information, we use a secure server. All supplied sensitive/credit information are transmitted via Secure Socket Layer (SSL – a technology which ensures privacy by generating an encrypted link between a web server and browser) and then encrypted into our payment gateway providers database only to be accessible by those authorized with special access rights to such systems, and are required to keep the information confidential. After a transaction, your private information (credit cards, passwords, financials, etc.) will not be stored on our servers.
3. Passwords at Woodpecker
All passwords to Woodpecker accounts are protected with RSA 2048 encryption. Our personnel is unable to access your email account passwords unless you explicitly share such data with them. To make sure your information is transmitted via SSL, you should see a green closed padlock by the HTTPS connection in your URL bar at all times. You can learn more about SSL in this video made by SSL.com themselves.
4. Backups & infrastructure security
Woodpecker uses
a. triple encrypted data backups;
b. protection against DDoS attacks;
c. Firewall; d. private IP addresses.
Database dumps take place every hour and the data stored on WWW hosting is copied every 6 hours in order not to lose any of the data provided by our Customers and/or Users. We want to minimize the situations in which the data that the Customer and/or User is adding to Woodpecker is not saved due to a sudden update of the infrastructure, that is why the infrastructure updates take place only when necessary. What is more, the Woodpecker team makes sure that all additional actions are taken to maintain a secure infrastructure and application environment, that is why we cooperate with a group of experienced admins who monitor system activity 24hours/7 days a week. We have implemented an effective disaster procedure that ensures that we are able to detect and recover data in case of most errors.
5. Data encryption
We partially encrypt our data is encrypted at rest with 256-bit AES with GCM to ensure safety. Furthermore, we partially encrypt data in transit – the environment utilizes TLS 1.3 without downgrade possibility.
6. Contractual safeguards
Woodpecker uses third-party providers to deliver the Service. We ensure that we have appropriate security measures and contractual safeguards implemented in all agreements that we have concluded with third-party providers. If you wish to know more about it check our Personal Data Transfer Policy & Processors’ List. We also comply with the General Data Protection Regulation requirements regarding data processing – if you, as a Customer, wish to sign a Data Processing Agreement please contact our support team.
Physical security of servers & data centers
The data centers are under 24/7 security, constant conservation, constant registered monitoring, and movement detection. All spheres are protected with fences equipped in barbed wire, which enables only authorized personnel to enter the data centers and react immediately to any emergencies.
Compliance with Google API Services Policy
Our use and transfer to any other provider of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.
System status security
We are extremely proud of a very small number of incidents that have caused any breaks in the access to Woodpecker. We are not ashamed of any difficulties occurring in the past, that is why we keep the history of our system status out for the public. However, in case of any issues in the future, we make sure to constantly monitor the status of our system and inform our Customers and/or Users of any problems. You can take a look at the current status of the system on our System Status page and even subscribe for email updates, which will inform you of any issues or planned maintenance breaks if they ever took place.
We also monitor our application on daily basis and collect data about its fluency and up-time to diagnose errors and issues as soon as possible.
Disaster Recovery Policy
1. PURPOSE
This policy explains a baseline disaster recovery plan and timeline implemented by Woodpecker. It shall guarantee transparent and reliable system functioning. This policy shall have an informative character for all customers (in particular once it comes to risk assessment and data safety).
2. SCOPE
This policy applies to Woodpecker application available via woodpecker.co, usewoodpecker.com and all related subdomains and shall affect data stored by Woodpecker once aggregated through the application. This policy details the strategy Woodpecker has put in place, and maintains, to risk assess Disaster Recovery (DR) requirements and develop, implement and regularly test the solution aimed at providing an appropriate response for each service depending on its identified criticality. For the purpose of this Policy, disaster shall mean a serious incident that cannot be managed within the scope of Woodpecker’s normal working operations.
3. POLICY
Woodpecker uses security measures that ensure a high standard of data safety – you can read more about it here. Our Disaster recovery is based upon the operational ability of vendors that deliver servers, administrators monitoring and in-house procedures. Woodpecker stores its data on OVH hosted servers – ISO certified (ISO 27001). The vendor ensures that apart from ISO compliance, each hosting center ensures that it is located within secure facilities with limited access. Storage centers are located within 60 km distance from each other to limit risk concerning geolocation. We shall not reveal the detailed location of data storage centers due to security reasons. In case of disaster recovery procedures application, Woodpecker shall use online replicated data that shall be installed on backup servers. We use Ansible to extract data to a new server (this concerns 1 to 1 copy), we use Proxmox Templates to create a new VM in our infrastructure. We are prepared to ensure full traffic redirection in case of any system malfunctioning. Full recovery time shall not exceed 6 hours in case of full database breakdown. Precise recovery time depends on the severity of damages and may differ but shall not exceed mentioned 6 hours. Woodpecker application shall be under constant monitoring and control checks concerning working fluency. We ensure that our Dev team shall maintain and react if necessary in case of downtime. Furthermore, we inform you that our day-to-day network checks are performed by external Administrators who ensure secure backup storage and performing tests concerning data restoration. We create a backup every 6 hours to secure data. If there is anything that affects the functionality of our application, Woodpecker shall update its status page or notify customers, provided that there is such technical and business possibility, and inform them about the foreseeable time of recovery and damage restoration. If you need any precise information that may address your risk assessment needs feel free to contact our Data Protection Officer via [email protected] . Check our Vulnerability Disclosure Program All the data you provide us with will be processed by: Woodpecker.co S.A. (joint-stock company) residing in Europe – Poland – Wroclaw 29D Krakowska STR, zip-code: 50-424 in a way that is crucial to agreeing on a contract, as well as its fulfillment. Transaction data, in that personal data, can be transferred for the benefit of: PayPal (Europe) S.à.r.l. et Cie, S.C.A., 22-24 Boulevard Royal L-2449, Luxembourg on the terms that will be beneficial to service-connected to order payments.