Security 🔒

Our customer's trust and data security are core
and critical to what we do at SaaSync.

Overview

SaaSync was built from the ground up with data security in the forefront of our architecture.  So much so, that SaaSync greatly limits the storage of your customer data on our servers.  Our mission is to get your customer data in a secure manner from one system to another system, while storing as little data as possible.  

We understand the importance of safeguarding your data, thus we have implemented controls and best practices to provide the highest standard of security for our users and customers.  Below are some of those mechanisms.

Data storage

SaaSync greatly limits the storage of your customer data on our servers for most of our integration data sources by acting as a realtime translation layer between the integration source and destination. 

For all data sources for performance reasons and to reduce API rate limit exceptions, we may cache some customer data for up to one hour at which time the cache is cleared. We also may log error responses from the source / destination systems for up to 30 days and log an audit trail of actions performed for up to 60 days.  For systems that enable webhooks, we retain a history of webhooks received for 30 days.

For QuickBooks Online and Xero data sources only, due to the nature of how our integrations function, SaaSync stores the full set of data for Invoices, Credit Notes/Memos, and Sales Receipts/Receive Money Transactions (if enabled). SaaSync also stores a limited set of data for Customers and Products for identification and classification purposes in our application. If you delete the connection from SaaSync, all of the data is removed immediately though it may be retained in encrypted backups for a period of 30 days.

For Paddle data sources only, due to API design limitations including very restrictive rate limits, we do store a history of all webhooks indefinitely for the Paddle integration.  Upon deleting your account or the Paddle connection, the webhooks associated with your account are deleted immediately, though they may be retained in encrypted backups for a period of 30 days.

Data privacy

Your data is your property and will never be sold to third parties.

• GDPR compliant: SaaSync and all our third-party providers are compliant with the EU’s General Data Protection Regulation.  Our Data Processing Addendum is available for your review.
• Credit cards: SaaSync does not process or store any credit card details belonging to you or your customers. Your card details are never transmitted through or stored on our infrastructure.  All credit card payments made to SaaSync go through our partner, Stripe. Details about their security setup and PCI compliance can be found at Stripe’s security page.
• Passwords: Your password is encrypted and never stored in our database in a readable/unencrypted format. You are responsible for choosing a strong password and keeping it secret.  We do enforce a password complexity standard and credentials are stored using a PBKDF function (bcrypt). Two-factor authentication is available to all SaaSync users and we strongly recommended enabling it on your account for an additional layer of security.

Product & Network security

• Password and Credential Storage: SaaSync enforces a password complexity standard and account credentials are stored using a PBKDF function (bcrypt).  Integration API credentials are stored using an advanced encryption standard (AES).
• 2FA: SaaSync makes available for all users two-factor authentication, which we strongly recommend enabling on your account for additional security.
• Uptime: We have uptime of 99.9% or higher.  You can check our recent statistics at https://status.saasync.com.
• Monitoring: We monitor application, software, and infrastructure behavior through industry-established services that are highly reliable and compliant.
• Data hosting and storage: SaaSync services and data are hosted in Amazon Web Service (AWS) facilities in the USA.
• Fault tolerance: SaaSync provides multiple failover instances to prevent outages due to single points of failure.
• Encryption: Data sessions are always protected with TLS protocols and 2,048-bit keys. We also encrypt sensitive data at rest using an industry-standard AES-256 encryption algorithm.
• Virtual Private Cloud: All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests getting to our internal network.
• Pentests & Vulnerability Scanning: SaaSync engages third-party security experts to perform detailed penetration tests on the SaaSync application and infrastructure.
• Incident policy: Incidents are handled through a defined and documented process. We run post-mortems and all employees are informed of our policies.

Data centers and network

Our data center provider, AWS, maintains ISO 27001, SOC2, GDPR compliance, along with numerous other certifications and standards.