Security

We take security seriously. And it’s not just a statement, but a way we plan, develop and deliver our product. 

Infrastructure Security

Shifton’s services and data are hosted in EU region

Network

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorised requests getting to our internal network.

Permissions and Authentication

Access to customer data is limited to authorised employees who require it for their job.

Encryption

All data encrypted on transfer with high grade encryption. All endpoints, either Interfaces or APIs limited to HTTPS access. We enforce best practices like use of TLS 1.3, HSTS and CAA, always receiving best result at Qualys SSL labs test

Incident Response

We implement a protocol for handling security events which includes escalation procedures, rapid mitigation and post mortem.

Disaster Recovery, Back Ups and Monitoring

We have a multi-region recovery and failover deployment, assuring customer data safety and high availability. We monitor all system components and effectively respond to issues that arise. 

Product security features

SSO

Shifton support OpenID-based SSO for two most popular providers

Permissions

Shifton implements a sophisticated RBAC system and has multiple built-in roles available for all customers. Combined with multi-level hierarchy, it allows setting app different fine-grained access levels.

Passwords

All passwords pass one way hashing with bcrypt library and never stored plain text. 

Enterprise features

Enterprise customers may be eligible for additional security features, among them



Employee security commitment

Policies

We have strict clear policies related to security and privacy. All employees pass training to be familiar and up to date with all changes. 

Confidentiality

All employee contracts include a confidentiality agreement.

Sub-processors

As any modern SaaS product we use other platforms to implement some features. None of those products and services have access to customer data, beyond minimal amount required for functionality

Stripe

We use Stripe as our payment processor. Details about their security and PCI compliance can be found at Stripe’s security page.

Intercom

We use Intercom for a Live Chat on our website and app. To learn more about their security and compliance please visit Intercom’s Security page

Microsoft

Used for SSO (Entra ID) and  website analytics 

Google

Used for website analytics, SSO, push notifications delivery, Maps platform and other features