At Transifex, we take security seriously and strive to maintain an environment that values the security and privacy of our users. This policy applies to all employees, contractors, consultants, and other workers within the Transifex organization.
All our servers (virtual machines) are hosted on the cloud with administrative access limited to authorized personnel only. We encourage administrative tasks to be performed using in-house or third party automation software to safeguard user data, and revert to actual server access only when absolutely necessary. We’ve also implemented a set of security policies that is specific to the software and services running on VMs, and is reviewed regularly by our engineering and development teams.
Communication among our servers is always encrypted using SSL (Secure Sockets Layer), the standard security technology for establishing an encrypted link between a web server and a browser. This link ensures that all data passed between the web server and browsers remain private. Traffic served from our web apps to our users is always serviced via HTTPS, except in the case of marketing pages which do not collect sensitive user data. File and database backups are encrypted using AES (Advanced Encryption Standard) for its speed and reliability in encryption and decryption, key and algorithm setup time, and resistance to various attacks in both hardware and software-centric systems. Test systems use anonymized data, and for the security of our users, proper provisions have been implemented to prevent the reversal of anonymized data.
Our files and virtual machines are hosted with the largest managed cloud provider, Amazon Web Services (Ireland), trusted globally for its network designed and built for reliability. Amazon Web Services complies with PCI-DSS Level1, SOC1, SOC2, SOC3, ISO 9000, FIPS-140-2, CJIS, CSA, FERPA, HIPAA, ISO 27001 and FISMA Moderate.
Certain aspects of our infrastructure require remote access in a very restricted way. For these components, authentication and access is coordinated through a Virtual Private Network that has been deployed specifically for this purpose. Traffic that flows through our VPN is always encrypted.
Email communication with Transifex is handled by ‘Google Apps for Work’, which has a SOC3 Seal of Assurance and is ISO27001 certified.
Our development process includes extensive code reviews during the code development phase and before code is pushed to production. This is part of our effort to instill a proactive mindset in regards to security related issues. We also perform regular audits and checks against known security flaws including the OWASP Top Ten.
With the goal of minimizing system downtime, we apply operating and key software patches on a regular basis. Whenever downtime is expected, we notify our users well ahead of time. Critical system patches are applied immediately.
We have deployed a 24×7 monitoring system and provide a status page at status.transifex.com for our users to verify the availability of our service. Furthermore, users can subscribe to notifications through that page or through Twitter (handle: @TransifexStatus).
Whether you have a security concern that you would like to discuss with us or want to report any vulnerability regarding Transifex services, please contact us at email@example.com. Make sure you provide as much context and information as you can so our team can understand the nature and severity of the problem and take the appropriate actions. We take all communications seriously, practicing responsible full disclosure and providing proper attribution of findings. If so desired, you can encrypt your message using our PGP key.
Users log into the Transifex system either by using their social login information from other platforms (Github, LinkedIn, or Google+) or through a unique username and password that you decide. All user passwords are encrypted using PBKDF2 and we do not store any passwords in cleartext within Transifex.
We do not store any credit card information. All our credit card processing is taken care of by Chargebee and Stripe, listed by Visa’s registry of providers as PCI Level 1 service provider.
Access to our offices is restricted and enforced by security personnel services. When sensitive data is physically stored on our premises, access is only available to authorized personnel (enforced via the use of appropriate means), with the presence of at least two persons required on site. Our organizational security practices include access to places and data on a need-to-know basis for all types of information.
We’d like to thank the researchers Abdul Haq Khokhar, Ajay Subhash Sawant, Ronak Nahar, Osama Mahmood, Talha Mahmood, Hammad Mahmood, Rafael Pablos, Muhammed Gamal Fahmy, Mohamed Khaled Fathy, SaifAllah benMassaoud, Konduru Jashwanth, Sushil Saini, Balvinder Singh, Mansoor Gilal, Meena Rambuddi, Arbin Godar, Sajibe Kanti, Ali Wamim Khan, Willy Gaston Lindo, TJ Horner, Cristian Joseph D. Legacion, Taimoor Abid, Manuel Eve A. Laude, Noman Shaikh, Sadik Shaikh, Jolan Saluria, Ace Candelario, Rico A. Silvallana, Hari Namburi, Pal Patel, Nitesh Sharma, Zeel Chavda, Pethuraj M, Shivam Kamboj Dattana, Steven Hampton, Prafull Pansare, Thrivikram Gujarathi, Pradipta Das, Husnain Iqbal, Ismail Tasdelen, Kaushik Sardar, Hamid Ashraf, Remesh Ramachandran, Pratik Dabhi, Raju Kumar, Pritam Mukherjee, Rayen Messaoudi, Umar Ahmed and Jayalakshmi P for helping us identify and resolve issues with our services.