We do everything we can to ensure the security and privacy of Storypark, complying with international best practice and have been audited by Price Waterhouse Coopers as part of due diligence for one of our major customers.
Where is your information stored?
Our production servers are all hosted with Amazon's Web Services in their Sydney region. We have selected Amazon for both their location of services, as well as their dedication to security and reliability in offering hosting and infrastructure for cloud platforms. Amazon is tried and trusted by all manner of internet companies, many of which operate with confidence at much larger profile and scale than Storypark.
What protections do you have in place?
End users are protected by end-to-end SSL encryption, which is currently tested with an A+ rating using SSL Labs’ Server Test. This ensures that the data between you and us is encrypted, and protected from the outside world. Our connection between our application servers and the database server is treated in the same way. These servers are behind firewalls and run only the Storypark website (are not on shared hosting).
Our database systems are encrypted at rest, ensuring the backups are only accessible by someone with decryption keys. We are using AWS RDS Postgresql as our primary database store, and are currently using postgresql 10.6. We keep daily snapshots for the last two weeks and are able to restore to a point in time (if needed for disaster recovery) to within 5 minutes, if notified within a 2 week timeframe.
Storypark follows industry standards of one-way encrypted (‘hashed’) passwords using bcrypt with a per-password salt. We never ask for passwords and never store them in cleartext. We ask for very few personal details and do not store credit cards.
If a user fails to log in after ten tries, we will lock their account to protect their Storypark profile.
All media links are served to end-users as signed URLs, ensuring that they are time-restricted and limiting the impact if they’re shared.
While Storypark is a multi-tenanted system, we have extensive automated testing in place to ensure that any code change does not affect the authorisation or permission code.
The site is written in Ruby on Rails, and is continually upgraded to the latest version of the framework for performance and security reasons.
Images within Storypark are subject to both technical protections and access restrictions. Only the owner of the account can download images to their own local drive:
- Centre admins are able to download images from any and all stories created at their service.
- Parents are able to download images where their child has been tagged in a story.
What if I want to remove my data?
We keep a temporary history of most deletions, in case the deletion was an accident (which we can rectify though support requests). Outside of that grace period, if you decide to remove your content from our system, all images and video are permanently removed. We strongly believe this content is yours, and we’re simply storing it for you. You own it, so if you request to have it removed, it is removed from the internet.
Are there busy times when we should avoid using Storypark?
No! We have varying load during the period of a day, but our architecture will auto-scale to accommodate the amount of users on Storypark at any time. We are not aware of any capacity bottlenecks with our system, and don’t believe you’ll even notice when we’re busy compared to not busy.
Our commitment to confidentiality and privacy
All users must agree to not share another user's personal information without that user's explicit permission or to share a child’s personal information without the permission of that child's parent or guardian.
We do not sell your data. You will see reference to the fact that some personal information may be provided to companies located in the USA who offer software as a service products that process content for inclusion within Storypark (for example, conversion of images and videos to make them suitable for viewing online/through a web browser). Those third parties do not control, and are not permitted to (and are contractually obligated not to) access or use the personal information provided except for those limited purposes. We only choose reputable service providers and have agreements with such third parties that prevent them from using or disclosing to others the personal information we share with them, other than as is necessary to assist us.