related posts
Find Out More
Read More

How we do security

July 8, 2014

Written by

Jun Huh, Chief Technology Officer

Many of our users have contacted us recently regarding how we assure the security of your personal data. The concerns with privacy and security has been on the spotlight particularly since incidents like OpenSSL Heartbleed bug and the NSA collecting private information.

Many of our users have contacted us recently regarding how we assure the security of your personal data. The concerns with privacy and security has been on the spotlight particularly since incidents like OpenSSL Heartbleed bug and the NSA collecting private information. The raised awareness of the general public is great for the Internet going forward, and we believe it is a good time to talk about how we handle personal data in Mohiomap.

Servers

Our servers are hosted using Amazon Web Services, and we use their best practices with IAM and restricted admin connectivity to the servers. Amazon Web Services is one of the leading data hosting providers and is trusted by a wide range of clients.

Database Server

We have a dedicated database server that is accessible only from the internal network that require a separate access key. Your personal data, such as your e-mail, password, and access tokens, are stored in this server, and this is only accessible via our app server and not exposed to the outside.

Passwords

All of your passwords are fully encrypted before being stored on our database. The passwords are salted and hashed, and we use a variation of PBKDF2 encryption.

Access tokens

Once you grant our app access to your Cloud data (e.g. connect your Evernote or Dropbox account), our application have full read / write access, but we never access your file / note contents, and only analyze metadata surrounding notes and files to construct the visualization. None of your metadata is stored on our server.

The access tokens can be revoked by clicking on the center of Mohiomap, and clicking ‘disconnect’ from any of the services that you wish to remove the token from. Alternatively, you can go to Evernote, Dropbox, Google Drive, and go to personal settings and expire any tokens from there. Please see the screenshot below for where it is done for each service.

Disconnecting account from Evernote
Disconnecting account from Google Drive
Disconnecting account from Dropbox

Regarding access tokens, they are encrypted and then stored in our database, so even under a security breach a hacker would have to find out the encryption algorithm that we’ve used, not just the database. We are very confident that the system we use follow or exceed the best practices suggested by AWS and the standards set for web applications.

For additional information on privacy, please refer to our privacy policy:

https://www.moh.io/privacy/

It is our goal to provide you with a system as secure as possible, and we will do our best to exceed the standards set by web applications.

About the author

Jun Huh, Chief Technology Officer

Jun leads our continually growing software engineering team and has many years of experience with the development of visualization software, in both commercial and in research enviroments.

related posts
Find Out More
Read More