Faithlife follows the principles of Coordinated Vulnerability Disclosure. If you believe that you've found a Faithlife-related security vulnerability, please report it by sending an email to firstname.lastname@example.org.
The PGP key for email@example.com can be used to send encrypted email.
Sessions between your computer and Faithlife are protected with in-transit encryption using TLS 1.2 or better.
Faithlife monitors potential attacks with several tools, including network-level firewalling.
Software Development Lifecycle (SDLC) security
Faithlife implements static code analysis tools and human review processes to ensure consistent quality in our software development practices.
Payment Card Industry (PCI-DSS) compliance
Faithlife maintains compliance with PCI-DSS requirements and performs annual and quarterly security assessments on our infrastructure, applications, and personnel.
Faithlife products are hosted with infrastructure providers with SOC 2 Type II and ISO 27001 certifications, among others. The certified protections include dedicated security staff, strictly managed physical access control, and video surveillance.
Faithlife’s patch management process identifies and addresses missing patches within the product infrastructure. Server-level instrumentation ensures tracked software packages use the appropriate versions.
Audits, Vulnerability Assessment, and Penetration Testing
Faithlife tests for potential vulnerabilities on a recurring basis. We run static code analysis and infrastructure vulnerability scans.
Faithlife uses third-party penetration testing firms multiple times per year to test Faithlife products and infrastructure.
External audit and certification
Our infrastructure providers maintain ISO 27001, SOC 2 Type II, and many other certifications (AWS) (GCP).