security
Applications and infrastructure
All of Snapfix’s servers are hosted by Amazon Web Services (AWS) in the United States and Ireland. All components that process user data operate within Snapfix’s private network. Only a small number of Snapfix’s servers, protected behind load balancers and a firewall, are accessible from the Internet.
Data encryption
Connections between the client apps and the backend infrastructure are protected by up-to-date encryption protocols (including SSL/TLS 1.2) while maintaining compatibility with the cipher suites the client supports. All databases, data storage, and backups are encrypted at rest using AES-256.
Organisational and information security
All Snapfix employees complete an annual privacy and security training that covers topics such as data privacy, physical security, data and information security, and incident reporting. In addition, all employees must read and sign Snapfix’s Internal Data Security and Privacy Policy.
Security for team administration
In addition to the security we’ve built at an infrastructure level, we also provide administration features to our paid Snapfix Business teams. These features allow administrators to manage their teams and include capabilities to create, transfer, or revoke access as needed.
Product security
Snapfix uses secure, industry-leading services to manage roles and access policies, certificates, encryption keys and secrets, firewalls, network access lists, and log collection and monitoring.
Our security and platform team performs regular check-ins with every development team and all code is thoroughly reviewed and checked through a version control system. We automatically scan our applications and libraries for known vulnerabilities and apply fixes promptly.
Employee practices
To access any of Snapfix’s internal systems, employees must authenticate via a single-sign-on system with mandatory 2-factor authentication. We regularly review employees’ access to the systems that hold or process customer data and revoke access for employees who no longer require it to do their work.
Customer data policy
Snapfix does not sell or rent users’ personal data to advertisers or to other third parties to enable them to deliver advertisements. For more information, please review our Privacy Policy.
Snapfix has a set of policies and technical controls that prevent employees from accessing customer data that is stored or processed by Snapfix systems. Where appropriate, Snapfix uses private keys and restricts network access to particular employees.
While Snapfix may track anonymized, aggregate statistics by website domain, Snapfix doesn’t collect browsing history from specific users while they browse the web.
Information such as web server access logs or IP addresses is collected only for a limited time and only to provide specific services to the user, such as fraud prevention.
Compliance
Snapfix complies with the EU General Data Protection Regulation (GDPR) and the EU-U.S. Privacy Shield Framework and Swiss-U.S. Privacy Shield Framework regarding the collection, use, and retention of personal information transferred from the European Union and Switzerland to the United States. For more details, see Snapfix’s Privacy Policy.
Third-party vendors
Before using a third-party vendor, Snapfix carefully evaluates the vendor's security practices. Snapfix removes personal information from third-party systems if it is no longer needed or if a user requests account deletion.