We take security seriously. And it’s not just a statement, but a way we plan, develop and deliver our product.
Shifton’s services and data are hosted in EU region
All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorised requests getting to our internal network.
Access to customer data is limited to authorised employees who require it for their job.
All data encrypted on transfer with high grade encryption. All endpoints, either Interfaces or APIs limited to HTTPS access. We enforce best practices like use of TLS 1.3, HSTS and CAA, always receiving best result at Qualys SSL labs test
We implement a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem.
We have a multi-region recovery and failover deployment, assuring customer data safety and high availability. We monitor all system components and effectively respond to issues that arise.
Shifton support OpenID-based SSO for two most popular providers
Shifton implements a sophisticated RBAC system and has multiple built-in roles available for all customers. Combined with multi-level hierarchy, it allows setting app different fine-grained access levels.
All passwords pass one way hashing with bcrypt library and never stored plain text.
Enterprise customers may be eligible for additional security features, among them
We have strict clear policies related to security and privacy. All employees pass training to be familiar and up to date with all changes.
All employee contracts include a confidentiality agreement.
As any modern SaaS product we use other platforms to implement some features. None of those products and services have access to customer data, beyond minimal amount required for functionality
We use Stripe as our payment processor. Details about their security and PCI compliance can be found at Stripe’s security page.
We use Intercom for a Live Chat on our website and app. To learn more about their security and compliance please visit Intercom’s Security page
Used for SSO (Entra ID) and website analytics
Used for website analytics, SSO, push notifications delivery, Maps platform and other features