At Spinal security is really important. There are various measures in place to keep standards high. Next to that are things customers can do too.
By using Spinal you trust that we do the right thing. Let’s go some of the most critical bits and what you, as a Spinal customer can do.
Encrypted data at rest #
The most critical data is encrypted at rest. This means that if someone does get access to the database, this data is not exposed. Encrypted data includes:
The reason comments are encrypted and content isn’t, is because the content will be public, but conversations in the comments might contain business decisions.
Passwords are, of course, hashed (meaning the actual password is not stored in the database).
User sessions activity monitoring #
Log in sessions are monitored for suspicious behaviour. When detected you’ll be notified about this via email.
Purging empty and stale account #
If you don’t have it, you can’t leak it. Spinal is a small and bootstrapped business, and not in business to gather as much data as possible (and sell).
So empty accounts (without any activity after 15 days) and stale accounts (those with activity older than 150 days) are purged from the database and backups. With the exception of accounts with an active subscription.
What can you do? #
There are common sense things you can do to keep your Spinal account (and thus your site’s content) safe.
Invite trusted people only #
Make sure you only invite people from your team.
Rotate the invite link #
A valid invite link allows everyone to sign up to access your account (with the given access and role). It’s good security hygiene to regularly rotate the link.
Create a specific account to connect with GitHub #
When you connect your GitHub account to Spinal with your personal details, you give Spinal access to all your repositories. While we do everything possible to keep things safe, having a dedicated user that can access only your static site’s content is a good practice. Feel free to reach out to support if this sounds too complicated.
In Summer 2023 a GitHub app will be launched where you can set the repo access.
Something still unclear? Reach out to support