At Doorstack, security is fundamental to everything we do. We understand that you're entrusting us with sensitive community and personal information, and we take that responsibility seriously. This page outlines our commitment to security and the measures we've implemented to protect your data.
Our Security Commitment
We are committed to:
- Protecting your data from unauthorized access, disclosure, alteration, and destruction
- Maintaining the confidentiality and integrity of your information
- Ensuring the availability and reliability of our services
- Continuously improving our security practices
- Being transparent about our security measures
- Responding promptly to security incidents
Data Encryption
Encryption in Transit
All data transmitted between your browser and our servers is encrypted using industry-standard Transport Layer Security (TLS) 1.3 protocol. This ensures that:
- Your login credentials are never sent in plain text
- All API communications are encrypted
- Third parties cannot intercept or read your data in transit
- We use HTTP Strict Transport Security (HSTS) to enforce HTTPS connections
Encryption at Rest
Your data stored on our servers is encrypted at rest using AES-256 encryption:
- Database encryption for all stored data
- Encrypted file storage in Amazon S3 with server-side encryption
- Encrypted backups with separate encryption keys
- Secure key management using AWS Key Management Service (KMS)
Authentication and Access Control
Secure Authentication
We implement multiple layers of authentication security:
- OAuth 2.0 integration with trusted providers (Google)
- Secure password hashing using bcrypt with per-user salts
- Session management with secure, HTTP-only cookies
- Automatic session expiration after periods of inactivity
- Password strength requirements and validation
Role-Based Access Control (RBAC)
We enforce strict access controls based on user roles:
- Homeowners can only access their own property information
- Board members have limited access to community management features
- Administrators have full access with audit logging
- Principle of least privilege - users only get necessary permissions
- Multi-community isolation - data is segregated by community
Infrastructure Security
Cloud Infrastructure
We leverage Amazon Web Services (AWS) for our infrastructure, benefiting from:
- SOC 2 Type II certified data centers
- Physical security with 24/7 monitoring
- Redundant power and network connectivity
- Geographic redundancy and disaster recovery
- Regular third-party security audits
Network Security
Our network security measures include:
- Virtual Private Cloud (VPC) isolation
- Network segmentation and firewalls
- DDoS protection and mitigation
- Intrusion detection and prevention systems
- Regular security scanning and vulnerability assessments
Application Security
We follow secure development practices:
- Input validation and sanitization to prevent injection attacks
- Protection against Cross-Site Scripting (XSS) attacks
- Cross-Site Request Forgery (CSRF) protection
- SQL injection prevention through parameterized queries
- Regular security updates and dependency patching
- Security-focused code reviews
Data Protection and Privacy
Data Minimization
We only collect and retain data necessary for providing our services. Personal information is not shared with third parties except as described in our Privacy Policy.
Data Isolation
Each community's data is logically isolated:
- Community-specific data segregation at the database level
- Access controls prevent cross-community data access
- Separate file storage paths for each community
- Query-level community ID validation
Secure File Storage
Documents and files uploaded to Doorstack are secured through:
- Encrypted storage in Amazon S3
- Pre-signed URLs with time-limited access
- File type validation to prevent malicious uploads
- Virus and malware scanning on upload
- Access controls based on user roles and permissions
Payment Security
We use Stripe for payment processing, which provides:
- PCI DSS Level 1 compliance (the highest level of certification)
- Tokenization of credit card information
- We never store credit card numbers on our servers
- 3D Secure authentication for card payments
- Fraud detection and prevention
Monitoring and Logging
We maintain comprehensive security monitoring:
- 24/7 automated monitoring of system health and security
- Real-time alerts for suspicious activity
- Comprehensive audit logs for all sensitive operations
- Log retention for security investigation and compliance
- Regular review of access logs and system events
Backup and Disaster Recovery
We ensure business continuity through:
- Automated daily backups of all data
- Encrypted backup storage with separate encryption keys
- Geographic redundancy with backups stored in multiple regions
- Regular backup restoration testing
- Documented disaster recovery procedures
- Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets
Employee Access and Training
Access Controls
Employee access to customer data is strictly controlled:
- Role-based access for internal team members
- Principle of least privilege for system access
- Multi-factor authentication required for all internal accounts
- Regular access reviews and audits
- Immediate revocation of access upon employee departure
Security Training
All employees receive:
- Security awareness training during onboarding
- Regular security and privacy training updates
- Phishing awareness and testing
- Secure coding practices for developers
- Incident response training
Compliance and Certifications
We comply with relevant security standards and regulations:
- GDPR (General Data Protection Regulation) compliance for European users
- CCPA (California Consumer Privacy Act) compliance
- SOC 2 Type II compliance (in progress)
- Regular third-party security assessments
- Adherence to OWASP Top 10 security best practices
Vulnerability Management
We proactively identify and address security vulnerabilities:
- Regular security vulnerability scanning
- Automated dependency checking for known vulnerabilities
- Penetration testing by third-party security experts
- Responsible disclosure program for security researchers
- Rapid patching of identified vulnerabilities
Incident Response
In the event of a security incident, we have procedures in place to:
- Quickly identify and contain the incident
- Assess the scope and impact of the breach
- Notify affected users in accordance with legal requirements
- Investigate root causes and implement preventive measures
- Work with law enforcement and regulatory authorities as needed
- Conduct post-incident reviews and improve our processes
If you believe you have discovered a security vulnerability, please report it to security@doorstacks.com. We take all reports seriously and will investigate promptly.
Your Role in Security
Security is a shared responsibility. You can help protect your account by:
- Using a strong, unique password for your Doorstack account
- Not sharing your login credentials with others
- Logging out when you're done using Doorstack on shared devices
- Keeping your contact information up to date
- Being cautious of phishing attempts and suspicious emails
- Reporting suspicious activity to support@doorstacks.com
- Reviewing your account activity regularly
Questions and Contact
If you have questions about our security practices or want to report a security concern, please contact us:
Security Team: security@doorstacks.com
General Support: support@doorstacks.com
Updates to This Page
We regularly review and update our security practices. This page will be updated to reflect any significant changes to our security measures. Check back periodically to stay informed about how we protect your data.