Security and Performance

Keeping you and your status page subscribers safe.

Section 1

Product Security

All the features you need to keep your status page, team members and subscribers secure.

SSL / HTTPS

In addition to our application and API, we also provide each status page with a free TLS certificate, even when using your companies own domain name. Let’s Encrypt issue and automatically renew these certificates on our behalf.

Help: Setting Up SSL
Password Policies

By default, we don’t enforce password policies, as if used poorly, they may, in fact, harm security, causing users to write them down if they’re hard to remember.

Password Storage

All passwords are one-way encrypted when stored in the database, and the database itself encrypted at rest, to ensure the original password can never be compromised.

SSO with Google & SAML

You can sign in to your Sorry account using Google, or a SAML provider of your choice. You can also ease the management of your team with just-in-time provision of new team members and single log-out.

Roles & Permissions

We have a straightforward but practical approach to roles, ensuring that only the account owner can perform the most destructive activities, and only nominated team members can invite other people.

Got a security feature suggestion? We’d love to hear it.

Section 2

Network & Internal Security

Behind the scenes, we work hard to ensure that each piece of our infrastructure is secure.

Encryption

We encrypt all traffic to and from Sorry over HTTPS. Sensitive data such as email addresses and passwords are also encrypted when stored in the database.

The database files themselves are encrypted at rest on the file-system, as are any backups.

Password Management

Internally we use password managers like 1Password and LastPass to ensure that all passwords used by the team are complex and unique.

2FA Provider Logins

All critical infrastructure services, such as Herokuand AWS, are secured using 2FA, as an added layer upon the unique passwords.

Vulnerability & Pen-Testing

We run regular automated scans of our product using Intruder to help us identify potential vulnerabilities. We also make reporting a vulnerability easy for those who find them, with a dedicated mailbox.

Backups & Data Retentions

We run point-in-time style backups, allowing us to rollback data to any point over the past few days.

We also perform snapshot style backups on a nightly basis, again stored for about a week.

Section 3

Change Management

As a growing and agile business, we often deploy changes multiple times per day; this is how we keep things reliable.

Regular, Small Changes

Making these small incremental changes, rather than substantial, weekly, monthly or quarterly releases, actually helps us minimize the risk of breaking something.

Automated Testing

All changes released goes through our continuous integration pipeline, where we run 1000+ automated tests before deployment.

Post-release, we regularly test the application using automated tests from Ghost Inspector, which simulates everyday tasks, looking for errors.

Version Control

We store all code in version-control with GitHub, this helps maintain a comprehensive audit of all changes, to make the diagnosis of issues more straightforward.

Instant Rollbacks

We can quickly rollback a change after release if we find an issue, meaning we can speedily mitigate newly introduced bugs while we investigate the real cause.

Change Log

All changes we make at Sorry, such as infrastructure improvements, feature releases, bug fixes or security patches, are logged on our status page.

Section 4

Incident Response

It’s our business, so we take it seriously.

Monitoring

Early detection of issues is key to a good response. We use both Pingdom and NewRelic to monitor the application regularly, not only for the accessibility of particular endpoints but also performance thresholds such as load times and the length of background queues.

Bug & Error Reporting

We track all errors in Sentry & NewRelic, which makes our diagnosis of issues when they arise a much quicker task.

Alerting

We use PagerDuty to alert team members when our monitoring services spot an issue, ensuring that the alert gets to someone, even if they’re busy, or asleep in the middle of the night.

Post-Incident Investigation

After incidents happen, we deep-dive into them, not only to understand what caused them but also assess how we could respond better next time around.

Keeping You Notified

All of our customers are automatically subscribed to our status page, to receive notifications about incidents affecting the parts of our product they use..

We try our best to use honest and straightforward language to describe the issue, take responsibility for what’s happening, explain what’s broken, and set your expectations for when we’ll have it fixed.

Our “best practices” for incident response are available in our free guide Weathering the Storm.

Compliance

All the features you need to keep your status page, team members and subscribers secure.

Homepage views

We fully comply with GDPR, and also provide some features to help you stay compliant yourself when collecting subscriber information.

Homepage views

We’re regularly tested by Intruder to ensure we remain OWASP compliant, protecting against the most common vulnerabilities such as Injection, Broken Authentication and Cross-Site Scripting.

Homepage views

We are Cyber Essentials certified by the UK National Cyber Security Centre (NCSC).