We ensure that the machines within the NomNom infrastructure are protected from the ground up. We use Google Cloud Platform (GCP) and Amazon Web Services (AWS) for our hosting. Both GCP and AWS are industry leaders and provide a highly scalable cloud computing platform with end-to-end security and privacy features built in.
Access to these data centers is strictly controlled and monitored using a variety of physical controls, intrusion detection systems, environmental security measures, 24 x 7 on-site security staff, biometric scanning, multi-factor authentications, video surveillance and other electronic means. All physical and electronic access to data centers by Amazon employees is authorized strictly on a least privileged basis and is logged and audited routinely.
AWS maintains an impressive list of reports, certifications and independent assessments — including ISO 9001, PCI DSS Level 1, SOC1, SOC2, SOC3, among others — to ensure complete and ongoing state-of-the-art data center security. They’ve devoted an entire portion of their site to explaining their security measures and compliance certifications which you can find at:
NomNom employees do not have physical access to our servers in GCP or AWS. Electronic access to GCP and AWS servers and services is restricted to a core set of approved NomNom staff only.
All passwords are filtered from our logs and are one-way encrypted in the database using the bcrypt (salted) hash function. Login information is always sent over SSL.
NomNom cannot view any of your credentials, so much so that if you lose your password, it must go through the reset procedure for your account to be accessible again.
Third-Party Service User Credentials
We store the configuration details for your connections (integration) to the various third-party services. The service passwords, OAuth tokens and third-party API keys are encrypted with a salt and stored in our database. You can completely revoke NomNom’s access to a service at any given time.
Data Redundancy and Backups
We ensure that all customer account and customer feedback data is replicated and regularly backed up.
All servers are firewalled to permit the minimum traffic necessary to run the service.
GCP and AWS use network devices, including firewall and other boundary devices, to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL) and configurations to enforce the flow of information to specific information system services.
GCP and AWS security monitoring tools help identify several types of denial of service (DoS) attacks including distributed, flooding and software/logic attacks. GCP and AWS networks provide significant protection against traditional network security issues such as — DDoS attacks, MITM attacks, IP spoofing, Port scanning, Packet scanning, etc.
In addition to monitoring, regular vulnerability scans are performed on the host operating system, web application and databases in the GCP and AWS environment using a variety of tools. Alerts for any potential threats are escalated to the NomNom engineering team.
Application, Systems and Software Security
We have implemented strong encryption via TLS throughout our application. By using encryption, we minimize the chances of someone possibly intercepting username-password combinations and/or other sensitive information.
We adhere to industry best practices throughout the code lifecycle to prevent gaps in the security policy of the application and the underlying systems and to prevent common web attack vectors.
We have a designated team that keeps our software and its dependencies up to date eliminating any potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the site.
All NomNom web application communications are encrypted over 256 bit SSL which cannot be viewed by a third party and is the same level of encryption used by banks and financial institutions.
Security and Privacy Features Available in NomNom
Private data access
Feedback, projects, reports, and data can be kept private and shared with only a specific set of people, only authorized employees of NomNom customers can access their accounts. Data can only be shared with a user who has been granted access to NomNom by the account admin.
Using NomNom from behind firewalls
NomNom is a cloud-based SaaS service designed to work out of the box from behind firewalls and proxies. Therefore, your existing security is left altogether intact.
Employee Access and Security
We regard your customer feedback as private and confidential to your team.
Our production environment is completely separate from the other environments — including development and QA. GCP and AWS provide sophisticated Identity Access Management (IAM) to control access to its resources. Individually identifiable RSA key pairs are used for SSH access and root login is disabled. This ensures a complete audit trail from an action back to the specific individual who triggered that action.
NomNom employees are granted access to systems and data based on their role in the company or on an as-needed basis.
Access to customer data by NomNom employees is only used to assist with support and to resolve customer issues. For such cases, we will get your explicit consent each time. Violation of this policy is a serious matter requiring investigation and appropriate disciplinary action up to and including termination as well as legal action.
When working on a support issue we do our best to respect your privacy as much as possible and only access the minimum data needed to resolve your issue.
NomNom adheres to industry best practices for design and development. We always thoroughly test new features in order to rule out potential attacks such as CSRF, XSS, SQL injections, among others.
We constantly improve our security policies as the threat landscape changes. Our engineering team continuously monitors ongoing security, performance, and availability. We subscribe to all relevant security bulletins so that we can promptly address any security issues in the software we use.
Credit Card Security
When you purchase a paid NomNom subscription, your credit card data is not transmitted through nor stored on our systems. All of NomNom’s credit card processing is handled securely by Stripe — a company dedicated to this task.
Stripe is certified to PCI Service Provider Level 1 — the most stringent level of certification available. You can read more about their privacy and security policies here: https://stripe.com/gb/terms and here: https://stripe.com/help/security
Need to report a security vulnerability?
When a potential security vulnerability is reported, it is handled with the highest priority until properly addressed. You can find our responsible disclosure policy and submit a vulnerability report here.
Reporting security vulnerabilities and responsible disclosure policy
If you believe that you have found a security vulnerability on NomNom, we encourage you to let us know straight away. We will investigate all legitimate reports and do our best to quickly fix the problem. Before reporting though, please review this page, including our responsible disclosure policy.
If you are looking to report another type of issue, please use the link below for assistance.
NomNom aims to keep its service safe for everyone, and data security is of utmost priority. If you are a security researcher and have discovered a security vulnerability in the service, we appreciate your help in disclosing it to us in a responsible manner.
Your findings must fit the criteria below:
- A serious vulnerability (and not just a zero or low-risk XSS)
- Discovered during routine use of the service as an actual user – not via a pen test or by an automatic scan, which would have been unauthorized
Share the details of any suspected vulnerabilities with NomNom’s Security Team by sending using the following e-mail address:
Please do not publicly disclose these details without express written consent from NomNom. In reporting any suspected vulnerabilities, please include the following information:
- Vulnerability details with information to allow us to efficiently reproduce your steps
- Your email address
- Your shipping address and T-shirt size
If you identify a verified security vulnerability in compliance with this Responsible Disclosure Policy, NomNom commits to:
- Promptly acknowledge receipt of your vulnerability report
- Provide an estimated timetable for resolution of the vulnerability
- Notify you when the vulnerability is fixed
- Publicly acknowledge your responsible disclosure