Our approach to security

Introduction

Security and privacy are critical and non-negotiable values of our service.

On this page we address questions potential customers commonly ask us about our approach to security.

If, after reading this document, you still have questions please get in touch.

Please note: as a European (German) company we are bound by GDPR, you can find all details of our approach to privacy and data protection on our GDPR page.

Context / General background

Our service exists to make open data easily usable. The data our geocoding API and geosearch services return is all public information. We aggregate and simplify the use of data that is freely available across the internet.

Nevertheless, we take the security of all systems and our users, especially their privacy, very seriously.

We hold no payment information, and always collect as little data as possible.

Account protection

At sign up or when changing passwords, we show users their password strength. We encourage all users of our services to only use secure passwords (ideally via a password manager).

Whether a paying customer or a free-trial account, users can secure their account with two-factor authentication (2FA). We encourage use of this feature.

The OpenCage account dashboard is only accessible via HTTPS.

Users can replace their geocoding API key(s) at any time in their account dashboard.

Users can delete their account at any time, and inactive accounts are automatically deleted after three months.

No user data is ever sold or shared with third parties.

All request logs are deleted after six months. Users can opt for us to have no record whatsoever of their queries via use of the optional no_record parameter.

Payment data

We NEVER hold any customer payment credentials (card numbers, etc).

Payment/Billing is handled via our payment processor, Stripe. All details of Stripe's security practices and PCI compliance can be found on the Stripe security page.

Development process and awareness of vulnerabilities

• All 3rd-party dependencies are regularly and automatically scanned for known and new vulnerabilities. Patches are applied promptly.

• All software is managed via a version contraol system, and undergoes automated testing in a staging environment and follows a formal launch process before going live.

• No user data or production credentials are stored in source code.

• All servers are secured and accessible only via secure methods.

• We use password managers like 1Password to ensure that all passwords are unique and complex.

• All user passwords are encrypted and can NOT be recovered by employees.

• Security of all systems is regularly reviewed and extended.

• Employees and contractors are given the lowest level of access that allows them to get their work done.

• All employees and contractors sign an NDA before gaining access to any sensitive information.

• All team members are aware that security is of paramount importance, and time is regularly budgeted for learning, reviewing, and implementing security best practices.

• We have a specific individual responsible for overseeing information security.

ISO 27001 and other security certifications

As a small business giving away publicly available open data, we do not believe the burden of ISO 27001 or SOC2 certification would be appropriately proportionate.

Our API and geosearch services are hosted at multiple redundant locations within the EU with the well-known hosting company Hetzner, which is ISO 27001 certified. Please see the full details on the Hetzner site.

Our team does NOT have physical access to any of our servers.

Backups / Data Retention / AI / Data Handling Policies

• As a European company we are bound by GDPR. Please see our GDPR page where this is explained in detail.
• Account data is backed up via daily snapshots and stored (encrypted) off-site.

• We regularly set aside time to practice recovering from recent backups.

• Request logs are deleted after six months, though users can opt for us to have no record whatsoever of their queries via use of the optional no_record parameter - see relevant documentation.

• Customer data is NEVER used for AI training purposes.

Security Bounty Program / Penetration Testing

We welcome and reward outside help to make us aware of any gaps in our security through our security bounty program.

Stay informed

We invite any users of our services to contact us at any time if they have any questions or concerns regarding security (or any other topics).

In addition:

• Changes to our geocoding API are announced via our public CHANGELOG.

• Operational status, as measured by an independent third party, is always available on our public status page.

• In the event of any security issues we will provide prompt updates via our blog and our Mastodon account.