How we keep your information secure

Business and HR information

PickFu currently employs 16 people. From time to time, we may employ additional consultants. Anyone who works with PickFu directly or as a consultant must sign non-disclosure and security best practices agreements. Team members are required to undergo information security training as part of their onboarding and annually during their employment.

The PickFu organization is fully remote with no physical offices. Employees are not required to work at any given location. Some of the countries where we have employees include the following: USA, Mexico, Brazil, Argentina, Greece, France, and Kazakhstan. As a remote organization, we keep all records digitally.

All digital information is stored in the cloud using established business-grade software providers, including, but not limited to, Google, Amazon, Asana, Slack, etc. The team has no access to physical servers and no access to data centers. With cloud storage, data may be geographically dispersed, depending on the implementation of the cloud provider.

Computer and physical security

Depending on their employment status, employees use a combination of work-issued and personal devices. For directly employed team members, PickFu maintains a list of company-owned inventory.

• Spyware and anti-virus software are provided for each person.
• Team members are advised to follow these practices:
  • Do not use public Wi-Fi networks.
  • Do not leave devices unattended or unsecured.
  • Use multi-factor authentication.
  • Change passwords every 6 months.

Encryption and hosting

• User passwords are hashed and encrypted before being stored. Passwords are never stored in plain text and are filtered out of our application logs.
• Access to customer data is only accessible by certain employees for whom access is necessary to do their job. These employees are made aware of our data privacy and protection policies.
• All data communication between the PickFu web application and our back-end service is encrypted with TLS. We use Automated Certificate Management provided by Let’s Encrypt and all web traffic is protected by Cloudflare. 
• The PickFu web application is hosted by and served from Heroku and Amazon Web Services. All data is stored in Heroku's Postgres database service. Heroku's security policy may be found here. Our AWS instances are monitored through AWS security services GuardDuty and Inspector.  All of our applications are deployed using managed services, meaning we typically do not manage servers or EC2 instances in production.
• Credit card information is never stored by PickFu. Credit card information is encrypted, directly transmitted to Stripe, and stored and processed via PCI-compliant procedures. Full details may be found on the Security at Stripe page. PickFu stores a token provided by Stripe to reference a customer's credit card through the Stripe API. Credit cards are never stored on PickFu servers, nor do we have access to any card number or details. This information does not pass through PickFu servers (we have no logs with credit card information). All communication with Stripe is handled over an encrypted TLS connection.
• Customer-uploaded media assets are securely transmitted to, processed by, and stored by Cloudinary, a cloud-hosted media platform. Its security policy may be found on its Trust page.
• Vulnerability scans are done monthly and penetration tests annually done by Cacilian, a division of Prescient Security. 
• We do not currently offer a bug bounty, but our vulnerability disclosure policy can be found here.

Data disposal

A customer's relationship with PickFu is at will, with no contract or defined engagement term. The customer can pause their use of PickFu and come back at any time. If a customer chooses to permanently close their account and delete their data, they can do so by emailing our support staff at info@pickfu.com.

• Server and application logs are retained for a maximum of one week, after which they are permanently deleted. Application analytics will be permanently deleted on request.
• When a customer requests account deletion, the customer's information and identity are scrubbed from the system.

Compliance

PickFu has achieved SOC 2 Type II compliance in accordance with American Institute of Certified Public Accountants (AICPA) standards for SOC for Service Organizations also known as SSAE 18. Achieving this standard with an unqualified opinion serves as third-party industry validation that PickFu, Inc. provides enterprise-level security for customer's data secured on the PickFu platform.

An unqualified opinion on a SOC 2 Type II audit report demonstrates to PickFu, Inc.'s current and future customers that they manage their data with the highest standard of security and compliance.

SOC2 report requests can be made to info@pickfu.com.

Compliance concerns, violations, or vulnerabilities may be reported to admin@pickfu.com.