Our approach to security

Introduction

Security and privacy are critical and non-negotiable values of our service.

On this page we address common questions potential customers have asked us about our approach to security.

If, after reading this document, you still have questions please get in touch.

As a European (German) company we are bound by GDPR, please find all the details of our approach to privacy and data protection on our GDPR page.

Context / General background

Our service exists to make open data easily usable.

The reality is we have very little worth "stealing", in that we aggregate and simplify the use of data that is freely available across the internet.

Nevertheless, we take the security of all systems and our users, especially their privacy, very seriously.

We hold no payment information, and always collect as little data as possible.

Account protection

At sign up or when changing passwords, we show users their password strength. We encourage all users of our services to only use secure passwords (ideally via a password manager).

Whether a paying customer or a free-trial account, users can secure their account with two-factor authentication (2FA). We encourage use of this feature.

The OpenCage account dashboard is only accessible via HTTPS.

Users can replace their geocoding API key(s) at any time in their account dashboard.

Users can delete their account at any time, and inactive accounts are automatically deleted after three months.

No user data is ever sold or shared with third parties.

All request logs are deleted after six months. Users can opt for us to have no record whatsoever of their queries via use of the optional no_record parameter.

Payment data

We NEVER hold any customer payment credentials (card numbers, etc).

Payment/Billing is handled via our payment processor, Stripe. All details of Stripe's security practices and PCI compliance can be found on the Stripe security page.

Development process and awareness of vulnerabilities

• All 3rd-party dependencies are regularly and automatically scanned for known and new vulnerabilities. Patches are applied promptly.

• All software undergoes automated testing in a staging environment and follows a formal launch process before going live.

• No user data or production credentials are stored in source code.

• All servers are secured and accessible only via secure methods.

• We use password managers like 1Password to ensure that all passwords are unique and complex.

• All user passwords are encrypted and can NOT be recovered by employees.

• Security of all systems is regularly reviewed and extended.

• Employees and contractors are given the lowest level of access that allows them to get their work done.

• All employees and contractors sign an NDA before gaining access to any sensitive information.

• All team members are aware that security is of paramount importance, and time is budgeted for learning, reviewing, and implementing security best practices.

ISO 27001 and other security certifications

As a small business giving away publicly available open data, we do not believe the burden of ISO 27001 cor SOC2 ertification would be appropriately proportionate.

Our API and geosearch services are hosted at multiple redundant locations with in the EU with the well known hosting company Hetzner, which is ISO 27001 certified. Please see the full details on the Hetzner site.

Our team does NOT have physical access to any of our servers.

Backups / Data Retention

Account data is backed up via daily snapshots and stored (encrypted) off-site.

We regularly set aside time to practice recovering from recent backups.

Request logs are deleted after six months, though users can opt for us to have no record whatsoever of their queries via use of the optional no_record parameter.

Security Bounty Program / Pen Testing

We welcome and reward outside help to make us aware of any gaps in our security through our security bounty program.

Stay informed

We invite any users of our services to contact us at any time if they have any questions or concerns regarding security (or any other topics).

In the event of any security issues we will provide prompt updates via our blog and our Mastodon account.