We take the security and availability of your data seriously.
We maintain geographically diverse datacenters, running secured operating systems, and multiple layers of security. Your company’s data is safe with Nutshell.
Our engineering team has experience managing petabytes of data securely and durably. We take the following steps to keep your data secure at rest and as it transits our networks.
Private datacenters with industry-standard physical security policies & locked server cages
24x7 onsite datacenter staff to perform critical repairs
Firewalls, modern Linux operating systems, and conservative network configuration
VPNs to secure employee access and encrypt all data that transits Internet links
User passwords are salted and one-way encrypted. Nutshell staff cannot recover your password
Login pages are protected against brute-force attacks
We follow industry security lists and promptly patch critical issues (e.g. we tested and patched Heartbleed within hours of its disclosure)
We use a multi-tenant data storage architecture. Customer data is stored in discrete silos per account, to isolate and protect your data
Uptime and durability
In addition to security, it's critical to be able to access your data at all times. We do the following to keep Nutshell accessible at all times.
Multiple third-party monitoring services track Nutshell's availability across the planet
On-call engineers are automatically paged for any customer-facing outage
RAID-10 redundant hard drive systems for all production databases, providing for hot swaps when drives fail
Hot-spare database servers in case of entire system failure
Realtime geographically-diverse replication of data
Twice-daily, weekly and monthly snapshots of all customer data for backup and recovery
status.nutshell.com hosted externally with uptime metrics provided by a third party and updates from our network team
One-click data zip export tool, to save all Nutshell data for legal compliance or portability
Our support team is based in-house with our Ann Arbor engineering team. We will only access your account with your permission to troubleshoot support issues. Staff will never ask for your Nutshell password.
All staff computers run with full-disk encryption and strong passwords
We don't expose our internal network to Windows
Every Nutshell employee receives a copy of 1Password on their first day
Offices are protected with individual keycard access
Your credit card and billing information is stored securely. Our billing systems are PCI-compliant and managed separately from Nutshell application systems.
Nutshell uses one-way encryption to securely store a representation of your password. We cannot retrieve a password — you must use our forgotten password tool in conjunction with your email address to recover your password. It is your responsibility to keep your Nutshell email address up-to-date.
It is your responsibility to choose secure passwords and to keep them safe. Nutshell cannot be responsible for data that is compromised due to an insecure or stolen user password. If you are authenticating with Nutshell via a third-party (e.g. Google Apps), those passwords must also be secured.
If you are a security researcher or you believe that you have encountered a problem in Nutshell’s security, please review the following notes.
Please report any security concerns to email@example.com. If you believe that you need to send an encrypted message, please email first for our public key.
We ask that you give us a reasonable amount of time to respond to reports before making information public.
Please do not conduct any security research that could result in the destruction of data, interruption or degradation of service. This includes the use of automated tools or scanners: they are likely to cause your IP address to be banned.
We don’t currently accept responsible disclosure reports around the following issues:
Iframe / UI redress issues related to X-Frame-Options headers
User-provided password strength
Nutshell would like to thank the following organizations and individuals for responsibly disclosing security vulnerabilities. We greatly appreciate all contributions that help strengthen and improve Nutshell's security, and allow us to provide a better experience for our customers.