Overview of Security Practices
Contacts+ is committed to protecting the security of personal data and contact data stored in Contacts+’s applications. If you are a user and believe your account may have been compromised for any reason, please contact support with as many details as you can provide. For information about our privacy practices, visit our privacy page.
Information for Security Researchers Contacts+ is committed to working with security experts around the world to stay up to date with the latest security techniques. If you have discovered a security issue that you believe we should know about, we’d be happy to work with you.
Information for Users Guarding our users against security breach is something we take seriously. We are committed to doing all we can to remain secure and helping our users to manage their own account security responsibly.
Information for Users
At Contacts+, the security of your data is a serious priority that we’re committed to.
What Contacts+ does to protect data
We use a variety of industry-standard security technologies and procedures to help protect personal and public data from unauthorized access, use, or disclosure. We require users to enter passwords to access account information. To protect data in transit, Contacts+ uses encrypts all traffic using TLS configured with industry best-practices. Contact data in Contacts+ is stored using 256-bit AES encryption at rest.
Deletion and recovery of information in your address book
Contacts+ saves a history of all changes made to contact information by our users and our synchronization technologies. Recovery of historical contact information is available to all active users for all time.
Security testing and updates
Contacts+’s security team tests for security vulnerabilities and bugs on a regular basis and we also partner with industry security teams and the security research community to help make our security procedures better. Potential security risks can be reported to us on the third party service OpenBugBounty.
Secure physical location
Our servers are located in Amazon’s AWS data centers. Our users can find information about the security of Amazon’s servers at https://aws.amazon.com/compliance/.
We hold our employees to strict guidelines regarding confidentiality and do not allow disclosure of personal or private contact information to any third party without permission.
Recommended precautions for our users
We recommend creating a strong and unique password to use when accessing your Contacts+ account, and we recommend changing your password to another strong and unique password on a regular basis to prevent unauthorized access to your account in the case of a data breach involving compromised passwords on our system or another system you access with the same or a similar password. Please do not disclose your account password to unauthorized people or make your password easy to guess. No method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, while Contacts+ uses reasonable efforts to protect your Personal Data, Contacts+ cannot guarantee its absolute security.
Information for Security Researchers
If you are a Security Researcher, please let us know about any security issue and we’ll make every effort to quickly correct it. However you must follow our responsible disclosure policy:
- Disclose the vulnerability and all known details promptly. We do not assign bounties until full disclosure has been made and the scope and severity of a given vulnerability has been completely evaluated. Bounties are assigned entirely at the discretion of Contacts+’s security team; often investigation will find that the scope of a vulnerability is greater than initially reported leading to higher bounties. We aim to pay fair bounties and encourage motivated security professionals to continually test our properties and services.
- Give us a reasonable time to respond to the issue before making any information about it public in order to protect our users from a possible malicious attack in response to your disclosure. You’re more than welcome to post a write-up after the issue has been fixed and public disclosure has been agreed upon.
- Act in good faith not to degrade the performance of our services (including denial of service). We understand accidents may happen.
- Strive not to access or modify information in users’ accounts should you find a vulnerability. If necessary, please create a second account to demonstrate the issue. If you cannot, you may report using real accounts.
- Limit the scope of your activities to Contacts+ properties not those belonging to other services we may use such as analytics providers or support helpdesks. Those issues should be reported to the providers directly. If you’re unsure how to proceed, or have questions about whether a vulnerability is eligible for a bounty, please contact us!
We will not take legal action or engage with law enforcement for security activities provided you comply with this policy. Please read about our eligibility guidelines and report security issues using our program page. If you need to speak with the security team send an email to firstname.lastname@example.org.