Many companies say they take security seriously. In our case, we’d like to demonstrate this with concrete information.

Security Audit

From time to time, we commission independent Internet security professionals to audit our security. We implement any findings and recommendations as a matter of priority.

EU General Data Protection Regulation (GDPR)

As we are based in Spain, which is in the European Union, we are regulated by the EU General Data Protection Regulation (GDPR). We abide fully by the EU GDPR. Read more about our GDPR compliance.

Employee Access

Infrastructure

The Saber Feedback application is hosted on Linode. We regularly audit our use of Linode. We regularly check our server logs for suspicious activity.

Our database is hosted on Linode.

Linode offers a choice of geographic regions. The Linode region we use is in Germany, a European Union member state. We store production data solely within the European Union.

Our web application only accepts and transmits traffic over HTTPS.

Backups

We take frequent backups and regularly ensure that a recent backup can be restored. Access to backups is guarded with a combination of 2FA, password managers, encryption at rest, and tight access rules.

Credit Card Data

At no time do we store your credit card details on our servers. Our payment processors, FastSpring and Stripe, handle payment processing on our behalf. FastSpring and Stripe ensure that all relevant compliance, such as PCI, is met.

None of our staff, including management, have access to your credit card info.

Got questions about our security? Ask us at [email protected]


Responsible Disclosure

We welcome whitehat security researchers and will gratefully receive reports of suspected security problems.

We ask you to refrain from the following:

Acknowledgement Program

We don’t offer bug bounties. However we acknowledge contributions here on our site.

Only the first researcher to report a specific qualifying issue is eligible for acknowledgement. Whether an issue is a qualifying issue, as well as eligibility for acknowledgement, are decisions taken by us in our discretion.

We reserve the right to cancel this program at any time without notice.

Guidelines

In order to qualify for acknowledgement, please follow these guidelines when reporting issues:

Vulnerabilities eligible for acknowledgement

Ineligible vulnerabilities

How to report issues

Report security vulnerabilities to [email protected]. Once we’ve received your email, we’ll work with you to make sure we completely understand the scope of the problem and keep you informed as we work on the solution.