Security

Introduction

Intentful Limited is a New Zealand company with NZBN 9429051533724 (Intentful, we, our, us). We provide a ‘software as a service’ cloud-hosted subscription service to our customers, which enables them to use our software to enable the end users of their website(s) to complete one or more surveys in relation to their website user experience and related matters (our Services).

Personal Information

Our Privacy Policy applies in relation to any personal information received by us.

Security-focused stack, built carefully

At Intentful, we believe in focusing on what we know well and leveraging the best in the business, as well as our own best practices, to ensure security. We generally use only major cloud providers who regularly undergo extensive security audits and certifications. More specifically, we use Supabase as our data storage provider to ensure your data is safe, Vercel for top-quality front-end hosting, and Amazon Web Services for other services. Each of these is SOC2 compliant, ensuring enterprise-level security and certification.

We only offer magic link authentication right now, and in future, we will require 2FA authentication to ensure all our customers are safe from brute-force password attacks and identity theft.

Our code is thoughtfully checked, including internal audits against the OWASP top 10 to ensure our engineers follow best practices.

Protecting your data

All customer data is encrypted at REST with AES-256, and in transit via TLS. This is the strongest encryption practically available and even protects against quantum computers. This means you'll only be able to access our website using HTTPS rated at an A+ level with SSLlabs.com

To ensure data remains private, we use row-level security to ensure that your data is only ever available to you and your staff and our engineers in cases where they need to access it.

Backups

We back up your data daily to an off-site location. Should we suffer any major outage, loss of service from an upstream provider or other disaster, our intended model is that your data will be stored in two geographical locations in two different hemispheres. As with all matters technical (and as we do not control all third parties involved), we are unable to guarantee that your data will never be lost as a result of one or more technical failures beyond our reasonable control. Further, once you terminate the use of our Services, we will only retain your data for a limited period of time (usually 90 days) after termination occurs. As a result, we strongly encourage you to retain copies of your data on your systems at all times.

Vulnerability Management

We continually monitor our codebase using analysis tools to ensure we don't have any software with known vulnerabilities, applying an ASAP approach to patching and upgrades. Our servers are also monitored automatically to ensure we are notified in the case of any changes that alter our security profile.

Role-based access control

Our engineers and administrators have only the access they need to do their jobs. Access is maintained through a process of onboarding and offboarding for all staff and contractors.

Experience

Our team has a group of seasoned professionals, many of whom have been working on the web since the 90s. These old salts have seen some things and don't take security lightly.

Reporting and Disclosure

We pledge to notify our customers of a security breach or likely exposure of customer data within the same business day it occurs.

For more information about security or if you have any questions whatsoever, email us at security@intentful.com