How we do security
July 8, 2014
Jun Huh, Chief Technology Officer
Many of our users have contacted us recently regarding how we assure the security of your personal data. The concerns with privacy and security has been on the spotlight particularly since incidents like OpenSSL Heartbleed bug and the NSA collecting private information.
Many of our users have contacted us recently regarding how we assure the security of your personal data. The concerns with privacy and security has been on the spotlight particularly since incidents like OpenSSL Heartbleed bug and the NSA collecting private information. The raised awareness of the general public is great for the Internet going forward, and we believe it is a good time to talk about how we handle personal data in Mohiomap.
Our servers are hosted using Amazon Web Services, and we use their best practices with IAM and restricted admin connectivity to the servers. Amazon Web Services is one of the leading data hosting providers and is trusted by a wide range of clients.
We have a dedicated database server that is accessible only from the internal network that require a separate access key. Your personal data, such as your e-mail, password, and access tokens, are stored in this server, and this is only accessible via our app server and not exposed to the outside.
Once you grant our app access to your Cloud data (e.g. connect your Evernote or Dropbox account), our application have full read / write access, but we never access your file / note contents, and only analyze metadata surrounding notes and files to construct the visualization. None of your metadata is stored on our server.
The access tokens can be revoked by clicking on the center of Mohiomap, and clicking ‘disconnect’ from any of the services that you wish to remove the token from. Alternatively, you can go to Evernote, Dropbox, Google Drive, and go to personal settings and expire any tokens from there. Please see the screenshot below for where it is done for each service.
Regarding access tokens, they are encrypted and then stored in our database, so even under a security breach a hacker would have to find out the encryption algorithm that we’ve used, not just the database. We are very confident that the system we use follow or exceed the best practices suggested by AWS and the standards set for web applications.
It is our goal to provide you with a system as secure as possible, and we will do our best to exceed the standards set by web applications.