All communications are encrypted over SSL/TLS 1.2, which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.
Our infrastructure runs inside data centers designed and operated by Google
Cloud Platform (GCP).
Our servers are based in the US central region. GCP data centers feature state of the art environmental security controls to safeguard against fires, power loss, and adverse weather conditions. Physical access to these facilities is highly restricted and they are monitored by professional security personnel.
Our systems are containerized and run the latest stable versions of Debian and Python. Each container image is scanned for security vulnerabilities before it can be deployed.
Our applications can gracefully handle Layer 4 and below attacks, such as SYN floods, IP fragment floods, port exhaustion, and so on. Additionally, we are in the evaluation phase for
Google Cloud Armor.
All customer data is stored securely in an encrypted highly available Google Cloud SQL database and in Google Cloud Storage—both of which offer 99.9% or better uptime SLAs.
By default, new screenshots are private and you are the only one able to access them. Only when you share them with one of our integration vendors, or explicitly share the screenshot URL, are they accessible outside of Volley. Additionally, all screenshot URLs are signed and given time-limited resource access of 24 hours. At any time, you can decide to delete your screenshots.
When you enter your authentication credentials, they are ciphered using Fernet symmetric encryption (128-bit AES in CBC mode, using PKCS7 padding, with HMAC using SHA256 for authentication) and then stored in our encrypted Postgres database.
We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection.
We process payments with
, which has been audited by a
Payment Card Industry Standard-certified
auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of PCI DSS certification available. Payment information is transmitted directly to Stripe via HTTPS for secure storage and is never transmitted to or stored in Volley.