Security

By using Spinal you trust that we do the right thing. Let’s go some of the most critical bits and what you, as a Spinal customer can do.

Encrypted data at rest #

The most critical data is encrypted at rest. This means that if someone does get access to the database, this data is not exposed. Encrypted data includes:

• email address;
• API keys;
• comments.

The reason comments are encrypted and content isn’t, is because the content will be public, but conversations in the comments might contain business decisions.

Passwords are, of course, hashed (meaning the actual password is not stored in the database).

User sessions activity monitoring #

Log in sessions are monitored for suspicious behaviour. When detected you’ll be notified about this via email.

Purging empty and stale account #

If you don’t have it, you can’t leak it. Spinal is a small and bootstrapped business, and not in business to gather as much data as possible (and sell).

So empty accounts (without any activity after 15 days) and stale accounts (those with activity older than 150 days) are purged from the database and backups. With the exception of accounts with an active subscription.

What can you do? #

There are common sense things you can do to keep your Spinal account (and thus your site’s content) safe.

Invite trusted people only #

Make sure you only invite people from your team.

Rotate the invite link #

A valid invite link allows everyone to sign up to access your account (with the given access and role). It’s good security hygiene to regularly rotate the link. Or default to invite team members via email.

Only select minimal repositories #

When you connect with the GitHub App, you can choose to either give access to All repositories or Only select repositories. Make sure to choose Only select repositories. The Spinal GitHub App only requests Read/write access to repositories (among the GitHub-required metadata access).