All servers that run Minter.io software in production are recent, continuously patched Linux systems.
Our web servers encrypt data in transit using the HTTPS security (TLS 1.1+) so that requests are protected from eavesdroppers and man-in-the-middle attacks. Our SSL certificates are 2048 bit RSA, signed with SHA256. All connections to our database and subprocessors are encrypted using TLS.
Internal server-to-server requests are signed and authenticated to prevent request forgery, tampering, and replay. Firewalls are in place exposing only the necessary ports through the internet and between different servers.
All data retrieval from Instagram, Facebook, Twitter, TikTok and LinkedIn is done with your unique access token over a secure connection with the social netwoks' APIs.
User and analytics data that Minter.io collects through its software is stored in Frankfurt, Germany, European Union (EU) on the Linode and Amazon Web Services infrastructure. Access to the servers is limited to Minter.io team members on a need-to-know basis. Only systems with a direct technical need are exposed (e.g. frontend web servers, load balancers, and other systems, which directly serve customer traffic).
For exception-based logging, Minter.io is using subprocessors which are based outside of the EU. Minter.io uses these designated subprocessors to provide reliable service to its users for infrastructure and application monitoring. The data they process is used solely by Minter.io's engineering team to operate and improve the software's reliability. It is not queried or used for any other purposes.
Only Minter.io engineers who require such access to perform their job efficiently are given this type of access. Engineers who do have access, have their own credentials and these are only valid when used from specific IPs. SSH Key-Based authentication is used for server access.
Data collected through Minter.io is exclusively reserved for use by our users and customers.
Access to Minter.io's systems is strictly controlled through both our Access Control policies as well as technical controls. Our approach will always be to provision on a 'need-to-know' basis.
The Minter.io team is only permitted access to internal services via Virtual Private Networks.
Multi-factor authentication is used as a means of providing additional layers of security to authenticate the team.
Only a limited number of skilled engineers, whose job function is to support and maintain the Minter.io environment, are permitted access to Minter.io's production environment.
At Minter.io we use database replication to keep your data safe in the case of system failure. Database backups are taken every day, stored on Linode (Frankfurt) and Amazon Simple Cloud Storage (Ireland). In case two or more database nodes would fail concurrently we would have to revert to a backup.
User passwords are secured with BCrypt. They are never stored in the database in plaintext and are not readable by staff. Passwords do provide access to the Minter.io website, however, and it is the responsibility of the end user to protect his password with care.
Your billing data is encrypted at rest using industry-standard AES-256 encryption algorithms. We don't store your payment data (credit card numbers or PayPal account emails).
When you purchase a paid Minter.io subscription, your credit card and PayPal data is not transmitted through nor stored on our systems. Instead, we depend on Stripe and PayPal, online payment processors. Stripe is certified to PCI Service Provider Level 1, the most stringent level of certification available. Stripe’s security information is available at https://stripe.com/help/security.
We use Cloudflare to secure and ensure the reliability of our external-facing resources such as the website, the API. Request-handling code paths have frequent user re-authorization checks, payload size restrictions, rate limiting where appropriate, and other request verification techniques. All requests are logged and made searchable to operations staff.
Client code utilizes multiple techniques to ensure that using the Minter.io application is safe and that requests are authentic, including
XSS and CSRF protection
signed and encrypted user auth cookies
remote invalidation of extant sessions upon password change/user deactivation
Last updated: May 30, 2022