Transistor's Security Details

Introduction

As a podcast hosting and analytics application, we recognize the importance of excellent security practices. While we are a small team, we take security seriously.

General Security Practices

  • Access to servers, source code, and third-party tools are secured with two-factor auth whenever possible.

  • We use strong, randomly-generated passwords that are never re-used.

  • Contractors we hire are given the lowest level of access that allows them to get their work done.

  • We use automatic security vulnerability detection tools to alert us when our dependencies have known security issues. We are aggressive about applying patches and deploying quickly.

  • We don't copy production data to external devices (like personal laptops).

Authentication

At sign-up, each user sets up a new account with their email and password. User passwords are hashed using BCrypt before being stored. Passwords are never stored in plain text and are filtered out of our application logs.

Encryption

All communication between the Transistor app and our backend service is encrypted with TLS. We use Automated Certificate Management provided by Let’s Encrypt. User data is stored in Amazon Web Services RDS PostgreSQL and details of their implementation can be found here. Our RDS database is only accessible directly from our application servers in the same network.

Payments

Credit cards are encrypted, stored, and processed by Stripe with AES-256 encryption. Full details are on the Security at Stripe page. Transistor stores a token provided by Stripe to reference a customer's credit card through the Stripe API. Credit cards are not stored on Transistor servers, nor do we have access to the card number or details, and do not pass through Transistor servers. All communication with Stripe is handled over an encrypted TLS connection.

FAQs

What user data do you collect?

We're not in the business of making money off of data. However, we do collect information about how users are interacting with the app so we can improve the product and provide faster, more effective support when issues arise. These events include:

  • Sign-In and Sign-Out events

  • Interaction with features of the app

  • Crashes and other errors

Users are identified in our system by their email address and are asked to provide a name. We don't attempt to collect any demographic information.

How long is data retained and can I have it removed?

Server and application logs are retained for a maximum of one week, after which they are permanently deleted. Application analytics will be permanently deleted on request.

How do I report a potential vulnerability or security concern?

Please email us at mail@transistor.fm, which will notify us very loudly and we'll get back to you ASAP.

Do you maintain any security certifications such as SOC 2 or ISO 27001?

While we'd eventually love to achieve these certifications, we don't hold them at this time.