We take security seriously

We process sensitive data and therefore we take security seriously. Our products are built up to current security standards and we perform regular security audits.

  • Security policy

    We have a security policy that all employees and contractors adhere to

  • Penetration testing

    Our systems are subject to penetration testing, both internal and external

  • Regular updates

    Vulnerabilities have the highest priority and are usually fixed within hours

  • Enforced SSL encryption

    We enforce HTTPS across all of our systems, unsecure HTTP is disabled

  • Automated backups

    We backup all your data frequently and redundantly

  • Audit trail

    We irreversibly log all actions within our app, both for users and admins

  • Employee screening

    All employees are screened thoroughly before given infrastructure access

Where is my data stored?

We use Amazon Web Services as our infrastructure provider. Your data is stored in the AWS Cloud. The main database servers are physically located in the AWS datacenter in Frankfurt, Germany. We also use some auxiliary AWS services elsewhere (Dublin, Prague).

Industry grade security practices apply. Instance servers are hidden behind firewalls. All database servers are in Virtual Private Cloud, which means they cannot be accessed directly from the internet. We use strong encryption across our infrastructure. Every access is logged and we run automated backups frequently.

Who has access to my data?

We limit the access to your data as much as possible. No employee has a direct access to the production database. Only developers have access to the infrastructure. Every access to production infrastructure has to be permitted and is logged. Developers and customer support representatives have a capability to log into your account, but we only do it with your permission, and every such access is logged.

We are using Hotjar inside our app. Hotjar collects data about how you use Retino and we use it to make our software even better. We mask all personal and sensitive data, so that those are not sent to Hotjar.

Who owns the data I put into Retino?

At all times, you own the data.From the GDPR point of view, we are data processors.

When you delete data inside Retino (e.g. a particular ticket), in some cases we do not delete the data physically, we just hide them. We do this because it regularly happens that our customer accidentally deletes important information. This way, we can restore the data easily in seconds. You can always ask us to delete data permanently and we will happily do that for you.

We always provide an easy way how to export your data from Retino.

GDPR compliance?

Yes, we are compliant with GDPR. We are data processors from the GDPR point of view. You can exercise the “right to be forgotten” easily within Retino. If you need a legal guidance in terms of GDPR and Retino, get in touch with us.

Is your app secure?

Yes. We use modern and regularly updated technologies. We are protected from SQL injections, XSS, CSRF, clickjacking, man-in-the-middle attack, fake host headers and many other attacks. Our frameworks and policies make it hard for our developers to accidentally introduce a vulnerability into our codebase. All code going into production undergoes mandatory code review and is automatically tested. We perform code audits according to OWASP security guidelines regularly.

We have a SecurityHeaders.io A rating.

How do you store passwords?

Our passwords are stored using slow hashing algorithm and salt. At the moment, we use PBKDF2 (SHA256, 100k iterations, with salt). In the past we also used the same algorithm with 36k iterations. We have a password management policy in place that updates password hashing to the newest standard once user logs in. Our authentication system is also able to envelope different algorithms which can be useful when a hashing algorithm gets severely broken and needs to be pushed out of the system fast.

Renowned security expert Michal Špaček gives our policy an A rating.