Security at tray.io

Keeping our customers' data secure is the single most important thing we do here at tray.io. We go to significant lengths to ensure that all data sent to and through tray is handled securely - because keeping tray secure is fundamental to the nature of our business.

We'd like to share some of the practices we're following to keep your data secure in this document, and what we're doing to continually improve the security of your data.

This document can be treated as a living document, we will update it from time to time.

You might also be interested in reading our Privacy Policy and Terms of Service.

If you have any questions at all, please feel free to get in touch with us at security@tray.io.

Our team has relevant experience

Our team is made up of people who have years of experience working for large multinational companies in areas where security is paramount such as big data, payments, gambling, advertising and defence technologies. Our passion for security is foremost and we make sure that even the least security oriented engineering roles are tested thoroughly on their security knowledge.

We follow best practices

Security best practices are ever evolving, so at tray we invest significant time & resource in ensuring we’re up-to-date with the latest best practices and approaches to security:

  • We only store the data we need to - that which is required for accessing your account, connecting with your different third party tools, and debugging workflows.
  • All data sent to tray.io is encrypted in transit. Our workflow and application endpoints are TLS/SSL only and score an "A" rating on SSL Labs' tests - meaning that we only use strong cipher suites.
  • We use technologies such as Logentries to provide an audit trail over our infrastructure and the tray.io application. Auditing allows us to do ad-hoc security analysis, track changes made to our setup and audit access to every layer of our stack.
  • We use two-factor authentication on third party software accounts we use. We regularly review the permissions given to different third party tools, and discourage the use of shared logins. Where shared logins are unavoidable, we use Meldium to securely share logins.
  • We have fully functional automation systems in place which enable us to deploy changes to any of our applications in minutes. We typically deploy dozens of times a week - so we are well placed to roll out a security fix quickly, should the need arise.
  • We implement data encryption at rest for sensitive data points including user passwords, API keys, and access tokens.
  • We remove sensitive data such as API keys and access tokens from workflow run log data stored.
  • We have documented incident response plans to handle any issues that might arise.

We host in world class facilities

The vast majority of our systems and databases are running on Amazon’s Web Services facilities, hosted in the USA. For full information on the extensive measures Amazon take to keep their facilities secure, visit the AWS security page.

We do not store credit card details

tray does not store payment information on our servers - we’re not in the business of payments processing. All payments are processed through our payments provider, Stripe. For more information about PCI compliance and Stripe’s other security features, see Stripe’s security page.

Last updated 14th February 2017