Brian here, CTO at Cronometer.com. In light of recent events at MyFitnessPal, I thought it would be good to let you know our approach to security at cronometer.com.
As fun as it would be to bash a competitor when they are down, this will not be an article bashing MFP. They appear to be responding to their security breach in an open and honest way.
Cronometer.com is cloud based, communicating with millions of users over the web and mobile apps. How do we do this while maintaining the security of your data?
We adhere to 3 basic principles:
- Encrypt everything (in transit and at rest)
- Grant least access/privileges to information that allows the work to continue
- Maintaining industry best practices, employing set standards where possible (HIPAA, GDPR, etc)
I’ll cover each:
-
Encrypt Everything
All traffic from your mobile app or browser to cronometer.com’s servers is encrypted.
All data internally from our load balancers to our web servers is encrypted.
All data internally from our web servers to our other tiers, databases, etc is encrypted.
All admin access to our systems is encrypted.
Any requests to non-encrytped web pages are automatically redirected to their encrypted counterparts.
All user passwords are encrypted, and never stored cleartext (hashed and salted).
Our blog server is encrypted.
-
Least Privileges
Users are only granted access to their information
Any access granted to other parties is completely in the control of the user via the profile page. (inviting friends, signing up to studies, signing up to Pro’s, etc)
Any data sharing, for opt-in studies, or Pro accounts, is via encrypted channels
-
Industry Best Practices
Cronometer.com was born in and was built for the cloud
We are designed from the ground up to the distributed and secure
We are adhering to GDPR, with a data protection officer named (Hi, it’s me!)
We are self-certified as HIPAA compliant, a US standard usually reserved for medical practitioners, as we have several prominent US hospitals using cronometer.com in their gastronomy departments.
All of the above is aimed at reducing the likelihood of data breaches. We are not perfect, mistakes and bugs can and will happen. This assumption is built into the above.
This is to ensure we know how to react. With HIPAA and GDPR we have mandated policies for how we react, expected timings for certain tasks, executive committees, etc.
Since the foundation of cronometer.com we have also provided the option to completely remove your data from our system and will always have this. This ensures you keep complete control of your data.
I hope this has spread some light on how we value security and the importance we place on protecting your data.
If you have any questions on the above, please come chat to me on the forums (https://forums.cronometer.com) and I’ll do my best to answer them.
Cheers,
Brian
CTO
cronometer.com
