Data security and privacy are key aspects of our service. On this page we attempt to address common questions potential customers have asked us about our approach to security.
If, after reading this document, you still have questions please get in touch.
ContextOur service exists to make open data easily usable. The reality is we have very little worth "stealing", in that we aggregate and simplify the use of data that is freely available across the internet. Nevertheless, we take the security of all systems and our customers, especially their privacy, very seriously. We hold no payment information, collect as little data as possible, and delete inactive accounts.
Account protectionAt sign up or when changing your password, we show you your password strength. We encourage all users of our services to only use secure passwords (ideally via a password manager). Whether you are a paying customer or just a free-trial account, you can secure your account with two-factor authentication. We encourage you to make use of this feature. Your OpenCage account dashboard is only accessible via HTTPS. You can replace your geocoding API key(s) at any time via your account dashboard. You can delete your account at any time, and inactive accounts are automatically deleted after six months.
Data Protection / GDPR / PrivacyWe collect the absolute bare minimum of data about users of our service. No user data is ever sold or shared with third parties. As a Europen (German) company we are bound by GDPR, please find all the details of our approach to data protection on our GDPR page. Users of our geocoding API can set the optional
no_recordparameter when making requests. If set we will not log the query of the request, and will have absolutely no record of the query. All logs are deleted after six months.
ISO 27001 and other certificationsAs a small business giving away open data, we do not believe the burden of ISO 27001 certification would be appropriately proportionate. Our API and geosearch services are hosted at multiple redundant locations with in the EU with the well known hosting company Hetzner, who is ISO 27001 certified. Please see the full details on the Hetzner site. Our team does not have physical access to any of our servers.
Payment dataWe NEVER hold any customer payment credentials (card numbers, etc). Payment/Billing is handled via our payment processor, Stripe. All details of Stripe's security practices and PCI compliance can be found on the Stripe security page.
Development process and awareness of vulnerabilities
- All 3rd-party dependencies are regularly scanned for known and new vulnerabilites and patches are applied promptly.
- All software undergoes automated testing and a formal launch process before going live.
- No user data or production credentials are stored in source code.
- All servers are secured and accessible only via secure methods.
- Security of all systems is regularly reviewed and extended.
- All team members are aware that security is of paramount importance, and time is budgeted for learning, reviewing, and implementing security best practices.