Our approach to security

Overview

Data security and privacy are key aspects of our service. On this page we attempt to address common questions potential customers have asked us about our approach to security.

If, after reading this document, you still have questions please get in touch.

Context

Our service exists to make open data easily usable. The reality is we have very little worth "stealing", in that we aggregate and simplify the use of data that is freely available across the internet.

Nevertheless, we take the security of all systems and our customers, especially their privacy, very seriously. We hold no payment information, collect as little data as possible, and delete inactive accounts.

Account protection

At sign up or when changing your password, we show you your password strength. We encourage all users of our services to only use secure passwords (ideally via a password manager).

Whether you are a paying customer or just a free-trial account, you can secure your account with two-factor authentication. We encourage you to make use of this feature.

Your OpenCage account dashboard is only accessible via HTTPS.

You can replace your geocoding API key(s) at any time via your account dashboard.

You can delete your account at any time, and inactive accounts are automatically deleted after six months.

Data Protection / GDPR / Privacy

We collect the absolute bare minimum of data about users of our service.

No user data is ever sold or shared with third parties.

As a Europen (German) company we are bound by GDPR, please find all the details of our approach to data protection on our GDPR page.

Users of our geocoding API can set the optional no_record parameter when making requests. If set we will not log the query of the request, and will have absolutely no record of the query.

All logs are deleted after six months.

ISO 27001 and other certifications

As a small business giving away open data, we do not believe the burden of ISO 27001 certification would be appropriately proportionate.

Our API and geosearch services are hosted at multiple redundant locations with in the EU with the well known hosting company Hetzner, who is ISO 27001 certified. Please see the full details on the Hetzner site. Our team does not have physical access to any of our servers.

Payment data

We NEVER hold any customer payment credentials (card numbers, etc). Payment/Billing is handled via our payment processor, Stripe. All details of Stripe's security practices and PCI compliance can be found on the Stripe security page.

Development process and awareness of vulnerabilities

• All 3rd-party dependencies are regularly scanned for known and new vulnerabilites and patches are applied promptly.

• All software undergoes automated testing and a formal launch process before going live.

• No user data or production credentials are stored in source code.

• All servers are secured and accessible only via secure methods.

• Security of all systems is regularly reviewed and extended.

• All team members are aware that security is of paramount importance, and time is budgeted for learning, reviewing, and implementing security best practices.

Security Bounty Program

We welcome and reward outside help to make us aware of any gaps in our security through our security bounty program

Stay informed

In the event of any security issues we will provide updates via our Mastodon account and our blog.