Security Practices - HeyDrop Trust Center

1 Infrastructure & Hosting

HeyDrop is built entirely on Amazon Web Services (AWS), one of the world's most trusted and secure cloud platforms. Our infrastructure is located in the us-east-1 (N. Virginia) region.

AWS Certifications

AWS maintains the following industry certifications that benefit HeyDrop customers:

SOC 2 Type II — Validates security, availability, and confidentiality controls
ISO 27001 — Information security management system certification
EU-US Data Privacy Framework — Certifies lawful cross-border data transfers

Infrastructure as Code

All HeyDrop infrastructure is managed through AWS CloudFormation, enabling version control, repeatable deployments, and disaster recovery. This approach ensures consistency and auditability across all environments.

2 Data Encryption

HeyDrop implements industry-leading encryption standards to protect customer data at rest and in transit.

Encryption at Rest

All data stored in HeyDrop is encrypted using AES-256 encryption via AWS Key Management Service (KMS). This includes:

DynamoDB database tables — encrypted with AWS-managed keys
All backup data — encrypted with the same standards
Log files and audit trails — encrypted at rest

Encryption in Transit

All communication between your device and HeyDrop uses TLS 1.2 or higher. This applies to:

All API calls and data transfers
Client-to-server communications
Inter-service communications

Secrets Management

All sensitive credentials, API keys, and tokens are stored in AWS Secrets Manager with automatic rotation policies. These secrets are never hard-coded or stored in source code.

Authentication Tokens

HeyDrop uses JWT (JSON Web Tokens) with secure cryptographic signing. Tokens are short-lived and validated on each request.

3 Authentication & Access Control

We employ multi-layered access controls to ensure only authorized users and systems can access HeyDrop data.

User Authentication

User authentication is handled by Amazon Cognito, AWS's managed identity service. Cognito supports:

Username and password authentication
Multi-factor authentication (MFA)
SSO with external providers
Secure password reset flows

Internal Access Control

AWS IAM (Identity and Access Management) enforces least-privilege access for all HeyDrop systems:

Role-based access policies for all services
AWS SSO (IAM Identity Center) for team administration
Separation of duties — read-only vs. write access
Temporary credentials with automatic expiration

Team Role-Based Access (RBAC)

HeyDrop Teams includes granular role-based access control:

Admin — Full team management and billing access
Editor — Can manage team cards and content
ReadOnly — View-only access to team data

4 Monitoring & Observability

HeyDrop implements comprehensive monitoring to detect and respond to potential security incidents.

Infrastructure Monitoring

AWS CloudWatch continuously monitors all infrastructure metrics including:

CPU, memory, and network utilization
Application error rates and latency
Database performance and query metrics
Real-time alerting for anomalies

Distributed Tracing

AWS X-Ray provides end-to-end visibility of requests across microservices, enabling rapid debugging and performance optimization.

Audit Logging

AWS CloudTrail logs all API calls and administrative actions, providing a complete audit trail for compliance and security investigations.

5 Data Backup & Recovery

HeyDrop maintains continuous backups to ensure data availability and recovery in case of unforeseen events.

Automated Backups

Point-in-Time Recovery (PITR) — DynamoDB PITR is enabled, allowing recovery to any point within the last 35 days
Continuous Backups — All data is continuously backed up with automatic redundancy
On-Demand Backups — Additional manual backups can be created for specific recovery scenarios

Recovery Testing

We regularly test our backup and recovery procedures to ensure they work reliably when needed.

6 Application Security

HeyDrop follows secure development practices throughout the software development lifecycle.

Dependency Scanning

All application dependencies are automatically scanned for known vulnerabilities. Updates are applied promptly to address any identified security issues.

Secure Development Lifecycle

HeyDrop implements industry best practices:

Code review requirements before deployment
Automated security scanning in CI/CD pipelines
Input validation and output encoding to prevent injection attacks
CSRF token validation on all state-changing operations

Configuration Management

All environment-specific configurations and secrets are managed through:

AWS AppConfig — Centralized configuration management
AWS Systems Manager Parameter Store — Secure storage of application parameters
No sensitive data is committed to source code repositories

7 Incident Response

HeyDrop maintains a detailed incident response program to rapidly identify, contain, and remediate security incidents.

Breach Notification

In the event of a security incident affecting customer data, we are committed to:

Notifying affected users within 72 hours (GDPR Article 33 requirement)
Providing clear information about the nature of the incident
Recommending protective actions users can take

Incident Response Procedures

HeyDrop maintains documented procedures for:

Incident detection and triage
Containment and remediation
Root cause analysis
Notification and communication
Post-incident improvements

Testing & Drills

We regularly conduct incident response simulations and tabletop exercises to ensure our team is prepared.

Report a Security Issue

If you discover a security vulnerability, please email [email protected] with details. We commit to acknowledging all reports within 48 hours.

8 Vendor Security

HeyDrop carefully vets all third-party vendors and subprocessors to ensure they meet our security and privacy standards.

Security Assessments — All subprocessors are evaluated for security practices and certifications
Data Processing Agreements — Formal DPAs are in place with all vendors that process customer data
Regular Reviews — Vendor security posture is reviewed periodically
Transparency — Our subprocessor list is publicly available

9 Data Residency & International Transfers

HeyDrop stores customer data securely with legal frameworks for international transfers.

Primary Data Storage

HeyDrop's primary database is located in AWS us-east-1 (United States - N. Virginia). All customer data is stored in this region by default.

International Data Transfers

For customers and partners in the European Union, international data transfers are governed by:

EU-US Data Privacy Framework (DPF) — AWS is certified under the DPF, enabling lawful data transfers to the US
Standard Contractual Clauses (SCCs) — Additional legal safeguards for data transfers

AWS Certifications

AWS maintains the certifications necessary to legally transfer data from the EU to the United States under current data protection regulations.

10 Responsible Disclosure

HeyDrop welcomes security research and responsible vulnerability reporting. We are committed to working with security researchers to protect our users.

Report a Vulnerability

If you discover a security vulnerability in HeyDrop, please report it to [email protected] with:

A clear description of the vulnerability
Steps to reproduce the issue
The potential impact on users
Any relevant technical details

Our Commitment

We will acknowledge receipt of your report within 48 hours
We will provide regular updates on our investigation progress
We will not take legal action against good-faith security researchers
We will work to remediate confirmed vulnerabilities promptly

Safe Harbor
We appreciate security researchers' efforts to improve our security. Good-faith vulnerability reports will not result in legal action or adverse treatment.