Security

(Last updated 23rd August, 2023)

About

Statusbrew aims to help businesses of all sizes become better marketers, create stronger relationships with their customers, be more informed decision makers, and create the world’s most beloved brands.

Statusbrew maintains organizational and technical measures to protect the information you provide to us from loss, misuse, and unauthorized access or disclosure. These measures take into account the sensitivity of the information Statusbrew collects, processes and stores; the current state of technology; the costs of implementation; and the nature, scope, context, and purposes of the data processing Statusbrew engages in.

At Statusbrew, we recognize the critical role that external security research plays in maintaining the highest security standards for our services and our customers. As part of our commitment to the security of our systems and our users, we encourage responsible reporting of any vulnerabilities that may be found in our platform or infrastructure. This policy provides guidelines for submitting such vulnerabilities and outlines our commitment to addressing them.

SOC 2 Compliance

Statusbrew maintains a SOC 2 Type II attestation and compliance certification. Our SOC 2 Type II report certificate can be requested by reaching out to sales@statusbrew.com

GDPR Compliance

The EU’s General Data Protection Regulations (GDPR) take effect on May 25, 2018, and we are fully behind the spirit of these regulations for a safe and secure Internet. We aspire to embrace privacy by design and, whenever possible, to not collect and store personally identifiable information.

Our Privacy Policy contains mentions of the few instances where personally-identifiable information is required. Typically this will include an email address in order to log in to Statusbrew or a social network username in order to manage your account.

Overall, we aim for privacy by default: if data collection is not integral to the way our product works, then we won’t collect it. This approach has felt very much in line with the spirit of GDPR, and we’re fortunate that a lot of these data collection practices have been in place at Statusbrew for some time. As such, you may see a few banners or forms requesting consent for us to collect personally identifiable information for tracking or other purposes. We don’t deem this information necessary to provide Statusbrew's service to you, and we choose not to engage in activities and strategies that make this data relevant.

We commit to displaying a list of all current sub-processors in use by Statusbrew. A sub-processor includes any third party that we share personally identifiable info with.

At any time, you may request your information to be exported and sent to you for review, and we promptly honor any requests by you to have your information deleted and forgotten. Mail us with your requests at support@statusbrew.com

Data Processing Addendum (DPA)

Statusbrew makes available a Data Processing Addendum (DPA) for GDPR. The GDPR DPA and some FAQs are available to all of our customers. If you would like to enter into the GDPR DPA with Statusbrew, please email us and we will promptly send you Statusbrew’s Data Processing Addendum for you to complete, sign and return to us.

Confidentiality

Statusbrew maintains appropriate controls to restrict its employees’ access to the Customer Content that you and your Authorized Users make available via the Statusbrew Services, and to prevent access to Customer Content by anyone who should not have access to it.

All of Statusbrew's employees are bound by Statusbrew policies regarding the confidential treatment of Customer Content.

Statusbrew employees receive security training during onboarding and on an ongoing basis. Employees are required to read and sign information security policies covering the confidentiality, integrity, availability, and resilience of the systems and services Statusbrew uses in the delivery of the Statusbrew Services. Where applicable, including for particularly sensitive positions, Statusbrew also conducts criminal background checks on employees before employment.

Data Centers

Statusbrew's products are hosted by Amazon Web Services (AWS). AWS provides world-class hosting facilities that are secure, highly available, and redundant, with compliance to Cloud Security Alliance Star Level 2, ISO 9001, 27001, 27017, 27018, PCI DSS Level 1, and SOC 1, 2, and 3. For more more information on AWS's certifications and compliance programs, please visit https://aws.amazon.com/compliance/programs.

Customer data is hosted in the United States, in AWS's us-east-1 region. Statusbrew is certified by Privacy Shield to transfer personal data from the European Union and Switzerland and is GDPR compliant. AWS's data centers are outfitted with world-class physical hosting capabilities. Buildings have temperature and humidity monitoring and management, automatic water detection and removal, and automatic fire detection and suppression. Combinations of multiple power feed, Uninterruptible Power Supply (UPS) systems, and on-site electrical generators provide layers of backup power.

Application Security

Statusbrew's developers are given annual training on secure coding. All application code is written by Statusbrew employees, and each change undergoes peer review. Security vulnerabilities are promptly triaged and corrected.

Data Encryption
The Statusbrew Services support the latest industry-standard secure cipher suites and protocols to encrypt all traffic in transit. Statusbrew currently supports only TLS 1.2 on its main website and all pages that accept credit card information.

Customer Content is also encrypted at rest, where appropriate and having regard to the nature of the content and associated risks. Almost all of the information Statusbrew processes is already publicly available elsewhere and so there are no associated privacy risks.

Statusbrew monitors the changing cryptographic landscape closely and makes commercially reasonable efforts to upgrade the Statusbrew Services to respond to new cryptographic weaknesses as they are discovered and implement best practices as they evolve.

Two-Factor Authentication
Two-factor(2FA) authentication adds an additional layer of security to your Statusbrew account. After entering the credentials, you will be requested a subsequent authentication code from your smartphone using the Google Authenticator application whenever you sign in to your account. By adding the second step of authentication, we assure you that you only can log into your account.

Single Sign-On (SSO)
Statusbrew provides Single Sign-on (SSO) services to its clients. SSO is a validation technique that enables clients to access multiple applications with a single login credential to access various applications. Executing SSO gives a bright and consistent account security and user experience. If an employee's permissions change, their network administrator can disable the accounts related to that specific user with less effort through the database.

Third-party penetration testing
Statusbrew contracts with multiple penetration testing vendors to conduct several tests per year.

PCI DSS
When payments are processed via credit card, Statusbrew uses third-party vendors that are PCI DSS compliant. At no point does Statusbrew store, transmit, or process your credit card information; Statusbrew simply stores anonymous tokens that identify the applicable processed transactions.

Product Security Features

Secure Credential Storage Account passwords are salted and hashed using the latest strong algorithms and approaches, which are routinely audited. No human, our staff included, can ever view them. If you lose your password, it can't be recovered and must be reset.

Brute-force Protections
In addition to computationally challenging hashing, our authentication services implement additional rate-limiting protections and ReCAPTCHA.

Approval Workflows
Account Owners and Administrators may restrict certain activities behind approval workflows. These allow for tasks to be divided amongst a team, with the peace of mind that central decision makers may review and control public-facing actions.

Access Permissions
Account Owners and Administrators may restrict access to profiles, features, actions (including read and write), and other data, by applying granular controls to users on their account.

Email Signing
Statusbrew implements Sender Policy Framework (SPF) and DomainKeys Identified Mail (DKIM) to ensure emails we send are authenticated as coming from Statusbrew, helping to prevent spoofing and ensure authenticity.

Security Vulnerability Disclosure Policy

Authorization

If you make a good faith effort to comply with this policy during your security research, we will consider your research to be authorized we will work with you to understand and resolve the issue quickly, and Agency Name will not recommend or pursue legal action related to your research. Should legal action be initiated by a third party against you for activities that were conducted in accordance with this policy, we will make this authorization known.

Guidelines

Under this policy, “research” means activities in which you:

Notify us immediately after you discover an actual or potential security issue.
Acknowledge receipt of your report in a timely manner
Make every effort to avoid privacy violations, degradation of user experience, disruption to production systems, and destruction or manipulation of data.
Only use exploits to the extent necessary to confirm a vulnerability’s presence. Do not use an exploit to compromise or exfiltrate data, establish persistent command line access, or use the exploit to pivot to other systems.
If you wish to acknowledge your disclosure publicly, provide us with a reasonable amount of time to resolve the issue before you disclose it publicly
Do not submit a high volume of low-quality reports.

Once you’ve established that a vulnerability exists or encounter any sensitive data (including personally identifiable information, financial information, or proprietary information or trade secrets of any party), you must stop your test, notify us immediately, and not disclose this data to anyone else.

Scope

This policy applies to the following systems and services:

Any service not expressly listed above, such as any connected services, is excluded from the scope and is not authorized for testing.

Since Statusbrew relies heavily on the APIs provided by social networks like Facebook, Google, and LinkedIn, features that make access requests to social networks are excluded from the scope and are not authorized for testing. Examples of such features would be replying to comments or messages with Statusbrew’s Engage tools, posting content with Statusbrew’s Publish, etc.

While we operate and uphold various online systems and services, we request that active investigation and examination be limited to only those outlined within this document's scope. Should you believe a system outside of this scope warrants testing, please contact us beforehand to discuss. We plan to expand the coverage of this policy incrementally.

Additionally, vulnerabilities found in systems from our vendors fall outside of this policy’s scope and should be reported directly to the vendor according to their disclosure policy (if any).

Test Methods

The following types of research are not authorized:

Network denial of service (DoS or DDoS) tests or other tests that impair access to or damage a system or data
Physical testing (e.g. office access, open doors, tailgating), social engineering (e.g. phishing, vishing), or any other non-technical vulnerability testing
Attempting to reach or retrieve data that is not under your ownership
Distributing, or making attempts to distribute, unwanted or unauthorized emails, spam, or other types of unsolicited communication
Conducting tests on external websites, applications, or services that are connected with Statusbrew
Deliberately submitting, transmitting, uploading, linking, forwarding, or storing software that is malicious in nature, such as viruses or malware
Investigations carried out by underage individuals, persons who are on sanctioned lists, or persons residing in countries that are on sanctioned lists

Exclusions from Eligibility

Please be aware that Statusbrew does not recognize the following as qualifying vulnerabilities for this program:

Third-Party/Open Source Component Vulnerabilities: Issues within components not owned by Statusbrew.
Distributed Denial of Service (DDoS): Attacks intended to disrupt service through high traffic.
Social Engineering/Phishing Issues: Tactics that manipulate individuals into disclosing confidential information.
Email Bomb/Flooding: Overwhelming an email system with a high volume of messages.
Unvetted Automated Scanner Findings: Results from automated tools that have not undergone manual verification.
Exposure of Server or Software Versions: Mere disclosure of software or server versions.
Password Strength or Policy Issues: Concerns regarding the strength or guidelines of password policies.
Exploits Requiring Jailbroken or Rooted Devices: Security flaws that only present on compromised devices.
Self-Exploitation Attacks: Vulnerabilities exploitable only by the user against themselves.
Outdated Browser Exploits: Issues only affecting older, unsupported browser versions.
Subresource Integrity Checks: Absence of subresource integrity validation.
Header Misconfigurations or Missing Security Headers: Issues with headers that lack proof of exploitability against a remote victim.
Similar Unclaimed Social Media Accounts, Links, or Domains: Unclaimed digital assets that resemble Statusbrew’s official channels.
DMARC/SPF Issues: Problems related to email sender verification.
TLS/SSL Version Concerns: Issues solely related to the versions of TLS/SSL used.

How to Report a Security Vulnerability

If you believe you have found a security vulnerability in any of our services, we ask that you report it to us as follows:

Secure Communication: Please send your findings via encrypted email to security@statusbrew.com or using this form. Ensure that your report includes a detailed description of the issue, including such information as the URL or the component where the vulnerability exists, and any supporting material like screenshots, proof of concept, or tools used.
Information to Include: Description of the location and potential impact of the vulnerability. A detailed description of the steps required to reproduce the vulnerability (Proof of Concept scripts or screenshots are helpful). Your contact information.
What to Expect: Acknowledgment of your report within 10 business days. Regular updates about our progress. Notification when the issue is resolved.

Kindly refrain from making these details public without obtaining explicit written permission from Statusbrew. When reporting potential vulnerabilities, ensure you provide sufficient details to enable us to replicate your actions and respond accordingly.

Safe Harbor

When you follow this policy in reporting an issue to us, Statusbrew will work with you to understand and resolve the issue quickly. We will not initiate legal action against you or administrative or legal complaints to law enforcement. We ask in return that:

You provide us a reasonable amount of time to resolve the issue before disclosing it publicly.
You make a good faith effort to avoid privacy violations, destruction of data, and interruption or degradation of our service during your research.

Rewards

While we do not currently offer a paid bug bounty program, Statusbrew values contributions by the security community. Recognition and rewards for such contributions may vary and are at the discretion of our security team based on the severity and creativity of the vulnerability reported.

Contact Information

For any inquiries or further information regarding security at Statusbrew, please contact security@statusbrew.com.