We respect your right to privacy — isn't that what everybody is saying? Privacy is hard. We aim for a good balance between privacy, security, business needs, usability and legal regulations.
Data processing potentially including personal data is happening on multiple levels with web hosting: We have to store IPs for security reasons, we have to store billing related data for 10 years and most importantly you are storing your code, uploads and databases here.
Data processing terms
Our terms are covering general data processing measurements. Additional "order data processing terms" are avaiable on request for B2B clients.
Code peeking policy
Techincally, fortrabbit staff is able to view and even edit all uploaded files and databases. Our aim is to be involved as little as possible. There is an internal policy for that. In many support cases knowledge about configuration or code is essential to find a solution. Where possible and acceptable we will ask for permission to look into your code upfront. In other security related cases, for instance fighting phishing attempts, it is required that we examine code pro-activly. This can take place in suspicion.
We believe in a clear and transparent division of concerns. In a nutshell: We are responsible for the cloud infrastructure, the operating system and the PHP runtime; You are responsible for the software you write and use. Please also read our security responsibility article to learn more about the security division here.
When deleting Apps or Accounts with us, we delete as much and as complete as possible. For some clients this comes as an surprise as they expect that we just hide data away, until they pay their open invoices.
Web server logs
You can interact with fortrabbit services on various transport protocols. We are storing connection data in log files with each access. This may include the request time, the IP address of the requestor, the protocol and version used, URL called, response status, the number of bytes delivered, a referrer and a user agent (browser and OS). We are doing so for security reasons — to avoid malicious and unauthorized access. We reserve the right to analyze and blacklist certain IPs from our services based on these access logs. We will delete those logs as soon as possible. Certain logs might kept for analysis and fraud protection.
fortrabbit Apps can be accessed via a TLS encrypted connection in various ways. All have in common that fortrabbit is not the Cerificate Authority and that the service is provided "as is". See our dedicated HTTPS & TLS help article for more.
To err is human. We do our best to keep theese informations up-to-date, complete and correct. We reserve the right to add, change or remove certain services and practices without further announcement.
fortrabbit wouldn't be possible without relying on third party services. We have carefully reviewed and chosen our business partners. Individual data processing terms with those vendors are in place. The following gives you an overview which external services we use, how and why:
Cloud hosting & data centers
The fortrabbit itselfs platform runs on Amazon Web Services, (AWS). That includes our web properties (www, blog, help and dashboard) and most importantly the Apps our clients are creating here. Various different services from AWS (EC2, RDS, S3, Route53, Cloudfront …) are used in combination.
- Apps will be stored in the data center location you are choosing.
- Billing related and Account data is stored in Ireland.
Credit card billing informations are getting stored with our credit card payment processor Wirecard directly. We only keep a minimum of information: a reference and an identifier. SEPA bank account informations are stored with our databases.
Usage statistics, tracking & marketing
We are making use of Google Analytics and potentially of Google AdWords. We might use re-marketing from Google, as it is an effective way to stay on the radar of potential clients. We might also advertise on Twitter, for this we are sharing about your visit, think "Tailored Audiences".
The little chat bubble on the bottom right is powered by Intercom. This service collects some meta-data, like browser, operating system and geo location when you interact and provide your name and e-mail to get in touch with us. For identified Accounts we share your name, company, e-mail and the additional meta-data via API. This helps us giving you a personal and fast support. When you delete your Account with fortrabbit, the connected data-set will also get deleted. From time to time we also manually delete neglected, non-active, Accounts on the Intercom side, to store and share as little as needed.
We are using MailChimp to send occasionally e-mail updates to subscribed Accounts. These e-mails include relevant informations on service updates and feature announcements. With MailChimp we share e-mail addresses and names (for personalization). New fortrabbit Accounts get signed up for the newsletter automatically. That's why you need to confirm that we contact you by e-mail upfront. Each newsletter — of course — includes a one-click opt-out option. Additionally, there is a Account notification setting with the Dashboard to manage subscriptions.
We are using Postmark to send automated transactionsal e-mails to Accounts. These e-mails include relevant informations. They are either trigged by intervals or user interaction. Examples are: "double opt-in sign-up", "invoice notice", "trial expire notice" or "password reset". Naturally, there is no opt-out for these. Again, that's why you need to confirm that to be contacted by e-mail when signing up.
Accounts can subscribe — via opt-in — to fortrabbit service status updates for downtimes and incidents. This optional service is provided by Statuspage from Atlassian. It is possible to subscribe by e-mail, SMS or RSS feed. It is available under status.fortrabbit.com.
We are using a software to manage our hiring processes, to source, evaluate and track applicants. Currently we are using Breezy for this. Open positions can be found under fortrabbit.breezy.hr.
Account meta data
We will store additional meta data with your Account when you signup. This includes your IP, the time and a possible referrer. We use MaxMind to convert the IP to a geolocation that will also be stored with your Account. This might sound sneaky but is an important corner stone in fraud and phishing protection.
Internal case management
We use Trello as an internal ticketing system to keep track of ongoing business tasks. We might link client cases fron the chat system or billing related informations there as well.
Account profile pictures
We are sending a hash of your e-mail address to the Gravatar service to see if you have an Account over there. When you have, we are displaying your pofile picture from over there, when not a unique generic profile icon will be displayed.
We are emplyoing a tax agency called Ecovis, as well as potentially other accountants to helps us with financial accounting. Natuarlly, these service providers have reading access to billing related data and invoices. Billing related data, like invoices, are stored with Google Drive.
In certain cases we might embed content from other web services in our websites. This can be a hotlink, some JS, or an iframe. Examples are a YouTube video, or a poll by Google forms or just an image from another website. Of course, this might refer your IP and a timestamp as well.