We take the security and reliability of your data seriously.
Every day, thousands of businesses trust Nutshell to safely and reliably store important information. We partner with the industry’s most trusted infrastructure provider, Amazon Web Services (AWS) to store and secure your data.
Log4j / Log4Shell update
Our team is aware of the recent vulnerability in the Java Log4j logging system. Nutshell’s infrastructure has minimal exposure to Java, and upon learning of the vulnerability, we conducted a review of our systems. We have not identified any system which runs an affected version of Log4j, including our Solr and Jenkins infrastructure.
We continue to review our systems to ensure the security of your data, and we will continue to monitor industry security lists for issues like this.
We use bank-grade, 256-bit TLS 1.2 encryption every time you access your Nutshell account, whether it’s via the web or our mobile applications. Your data is encrypted at rest in our databases.
All data is immediately replicated to multiple servers. We also take twice-daily, weekly, and monthly snapshots. Third-party monitoring services immediately page our team with any issue. See live availability updates at status.nutshell.com.
Protected financial data
We use a PCI-compliant provider to securely store your billing information. Credit card information is not stored on our servers.
Passwords are encrypted one-way and cannot be accessed by Nutshell staff.
And here are the details for the security pros:
Our engineering team has experience managing petabytes of data securely and durably. We take the following steps to keep your data secure at rest and as it transits networks.
- Firewalls, VPNs, modern Linux operating systems, conservative network and security group configuration
- Encryption at rest
- VPNs to secure employee access and encrypt all data that transits Internet links
- Nutshell passwords are salted and one-way hashed. Our staff cannot access or see your password
- Login pages are protected against brute-force attacks
- We follow industry security lists and promptly patch critical issues (we patched Heartbleed within hours)
- We use a multi-tenant data storage architecture. Customer data is stored in discrete silos per account, to isolate and protect your data
Backups and reliability
It’s critical to be able to access your data at all times. Here’s how we ensure availability:
- Twice-daily, weekly and monthly snapshots of all customer data
- Continuous, live replication to multiple hot spares — in multiple availability zones (“AZs”)
- Multiple third-party monitoring services track Nutshell’s availability across the planet
- On-call engineers are automatically paged for any customer-facing outage
- status.nutshell.com hosted externally with metrics provided by a third party and updates from our operations team
- One-click data zip export tool, to download all your Nutshell data for legal compliance or portability
Our support team is based in-house with our Ann Arbor engineering team. We will only access your account with your permission to troubleshoot support issues. Staff will never ask for your Nutshell password.
- All staff computers run with full-disk encryption and strong passwords
- We limit our internal network’s exposure to Windows
- Every Nutshell employee receives a copy of 1Password on their first day
- Offices are secured with individual keycard access
Your credit card and billing information is stored securely. Our billing provider is PCI-compliant and managed separately from Nutshell application systems.
Nutshell uses one-way hashing to securely store a representation of your password. We cannot retrieve a password — you must use our forgotten password tool in conjunction with your email address to recover your password. It is your responsibility to keep your Nutshell email address up-to-date.
It is your responsibility to choose secure passwords and to keep them safe. Nutshell cannot be responsible for data that is compromised due to an insecure or stolen user password. If you are authenticating with Nutshell via a third-party (e.g., Google Apps), those passwords must also be secured.
If you are a security researcher or you believe that you have encountered a problem in Nutshell’s security, please review the following notes.
Nutshell does not offer a bug bounty program to pay for reports.
Please report any security concerns to email@example.com. If you need to send an encrypted message, you can find it on Keybase.
We ask that you give us a reasonable amount of time to respond to reports before making information public.
Please do not conduct any security research that could result in the destruction of data, interruption or degradation of service. This includes the use of automated tools or scanners: they are likely to cause your IP address to be banned.
We don’t accept responsible disclosure reports around the following issues:
- Iframe / UI redress issues related to X-Frame-Options headers
- HSTS implementation
- User-provided password strength
- SPF, DKIM and DMARC configuration issues
- User enumeration issues (we utilize rate limiting to protect our users)
- Presence of banner or version information
We’ve received disclosures from many individuals and organizations to make Nutshell a more secure place. You can read about them here.