Our team is aware of the recent vulnerability in the Java Log4j logging system. Nutshell’s infrastructure has minimal exposure to Java, and upon learning of the vulnerability, we conducted a review of our systems. We have not identified any system which runs an affected version of Log4j, including our Solr and Jenkins infrastructure.
We continue to review our systems to ensure the security of your data, and we will continue to monitor industry security lists for issues like this.
We use bank-grade, 256-bit TLS 1.2 encryption every time you access your Nutshell account, whether it’s via the web or our mobile applications. Your data is encrypted at rest in our databases.
All data is immediately replicated to multiple servers. We also take twice-daily, weekly, and monthly snapshots. Third-party monitoring services immediately page our team with any issue. See live availability updates at status.nutshell.com.
We use a PCI-compliant provider to securely store your billing information. Credit card information is not stored on our servers.
Passwords are encrypted one-way and cannot be accessed by Nutshell staff.
We successfully completed a Cloud Application Security Assessment (CASA) assessment for our web application, validating that we meet the security requirements set out by the App Defense Alliance (ADA).
The requirements include alignment with industry-leading security frameworks and a lack of findings linked to common weakness enumerations (CWEs) with high or medium risk of exploit.
Our engineering team has experience managing petabytes of data securely and durably. We take the following steps to keep your data secure at rest and as it transits networks.
Our support team is based in-house with our Ann Arbor engineering team. We will only access your account with your permission to troubleshoot support issues. Staff will never ask for your Nutshell password.
Your credit card and billing information is stored securely. Our billing provider is PCI-compliant and managed separately from Nutshell application systems.
Nutshell uses one-way hashing to securely store a representation of your password. We cannot retrieve a password — you must use our forgotten password tool in conjunction with your email address to recover your password. It is your responsibility to keep your Nutshell email address up-to-date.
It is your responsibility to choose secure passwords and to keep them safe. Nutshell cannot be responsible for data that is compromised due to an insecure or stolen user password. If you are authenticating with Nutshell via a third-party (e.g., Google Apps), those passwords must also be secured.
If you are a security researcher or you believe that you have encountered a problem in Nutshell’s security, please review the following notes.
Nutshell does not offer a bug bounty program to pay for reports.
Please report any security concerns to firstname.lastname@example.org. If you need to send an encrypted message, you can find it on Keybase.
We ask that you give us a reasonable amount of time to respond to reports before making information public.
Please do not conduct any security research that could result in the destruction of data, interruption or degradation of service. This includes the use of automated tools or scanners: they are likely to cause your IP address to be banned.
We don’t accept responsible disclosure reports around the following issues:
Join 30,000+ other sales and marketing professionals. Subscribe to our Sell to Win newsletter!