We take the security and reliability of your data seriously.

Powered and secured by Amazon Web ServicesEvery day, thousands of customers trust Nutshell to safely and reliably store important information. We partner with the industry’s most trusted infrastructure provider, Amazon Web Services (AWS) to store and secure your data.

Always encrypted

We use bank-grade, 256-bit TLS 1.2 encryption every time you access your Nutshell account, whether it’s via the web or our mobile applications. Your data is encrypted at rest in our databases.

Continuous backups

All data is immediately replicated to multiple servers. We also take twice-daily, weekly, and monthly snapshots. Third-party monitoring services immediately page our team with any issue. See live availability updates at status.nutshell.com.

Protected financial data

We use a PCI-compliant provider to securely store your billing information. Credit card information is not stored on our servers.

Secured passwords

Passwords are encrypted one-way and cannot be accessed by Nutshell staff.

And here are the details for the security pros:

Network security

Our engineering team has experience managing petabytes of data securely and durably. We take the following steps to keep your data secure at rest and as it transits networks.

  • Firewalls, VPNs, modern Linux operating systems, conservative network and security group configuration
  • Encryption at rest
  • VPNs to secure employee access and encrypt all data that transits Internet links
  • Nutshell passwords are salted and one-way hashed. Our staff cannot access or see your password
  • Login pages are protected against brute-force attacks
  • We follow industry security lists and promptly patch critical issues (we patched Heartbleed within hours)
  • We use a multi-tenant data storage architecture. Customer data is stored in discrete silos per account, to isolate and protect your data

Backups and reliability

It’s critical to be able to access your data at all times. Here’s how we ensure availability:

  • Twice-daily, weekly and monthly snapshots of all customer data
  • Continuous, live replication to multiple hot spares — in multiple availability zones (“AZs”)
  • Multiple third-party monitoring services track Nutshell’s availability across the planet
  • On-call engineers are automatically paged for any customer-facing outage
  • status.nutshell.com hosted externally with metrics provided by a third party and updates from our operations team
  • One-click data zip export tool, to download all your Nutshell data for legal compliance or portability

Operational security

Our support team is based in-house with our Ann Arbor engineering team. We will only access your account with your permission to troubleshoot support issues. Staff will never ask for your Nutshell password.

  • All staff computers run with full-disk encryption and strong passwords
  • We limit our internal network’s exposure to Windows
  • Every Nutshell employee receives a copy of 1Password on their first day
  • Offices are secured with individual keycard access

Financial security

Your credit card and billing information is stored securely. Our billing provider is PCI-compliant and managed separately from Nutshell application systems.

Passwords

Nutshell uses one-way hashing to securely store a representation of your password. We cannot retrieve a password — you must use our forgotten password tool in conjunction with your email address to recover your password. It is your responsibility to keep your Nutshell email address up-to-date.

It is your responsibility to choose secure passwords and to keep them safe. Nutshell cannot be responsible for data that is compromised due to an insecure or stolen user password. If you are authenticating with Nutshell via a third-party (e.g., Google Apps), those passwords must also be secured.

Responsible disclosure

If you are a security researcher or you believe that you have encountered a problem in Nutshell’s security, please review the following notes.

Please report any security concerns to security@nutshell.com. If you need to send an encrypted message, you can find it on Keybase.

We ask that you give us a reasonable amount of time to respond to reports before making information public.

Please do not conduct any security research that could result in the destruction of data, interruption or degradation of service. This includes the use of automated tools or scanners: they are likely to cause your IP address to be banned.

We don’t currently accept responsible disclosure reports around the following issues:

  • Iframe / UI redress issues related to X-Frame-Options headers
  • HSTS implementation
  • User-provided password strength

Acknowledgements

Nutshell would like to thank the following organizations and individuals for responsibly disclosing security vulnerabilities. We greatly appreciate all contributions that help strengthen and improve Nutshell’s security, and allow us to provide a better experience for our customers.