Security Overview

Security Overview

Last updated: November 25, 2021

We protect your data

All data are written to multiple disks instantly, backed up daily, and stored in multiple locations.

Your data are sent using HTTPS

Whenever your data are in transit between you and us, everything is encrypted and sent using HTTPS. Within our firewalled private networks, data may be transferred unencrypted.

Our application databases are generally not encrypted at rest — the information you add to the applications is active in our databases and subject to the same protection and monitoring as the rest of our systems.

Sophisticated physical security

Our Services are hosted in data centers operated by industry-leading service providers who offer state-of-the-art protected servers by biometric locks and round-the-clock interior and exterior surveillance monitoring. Only authorized personnel have access to the data center. 24/7/365 onsite staff provides additional protection against unauthorized entry and security breaches.

Regularly-updated infrastructure

Our software infrastructure is updated regularly with the latest security patches. Our services run on a private network that is locked down with firewalls and carefully monitored.

We protect your billing information

Your payments are handled by third-party service providers; we are not responsible for these parties or their services and has no liability as concerns payment processing. The third-party service providers process all credit card transactions using secure encryption—the same level of encryption used by leading banks; and the card information is transmitted, stored, and processed securely on a PCI-Compliant network.

Constant monitoring

We have configured our system to maintain your account's security and monitoring tools to alert us to any nefarious activity against our domains. To date, we’ve never had a data breach.

We also audit internal data access. If a 19 Signals employee wrongly accesses customer data, they will face penalties ranging from termination to prosecution. Again, to our knowledge, this hasn’t happened.

We have processes and defenses in place to keep our streak of 0 data breaches going. But in the unfortunate circumstances, someone malicious does successfully mount an attack, we will immediately notify all affected customers.

Have a concern? Need to report an incident?

Have you noticed abuse, misuse, an exploit, or experienced an incident with your account? Please visit our security response page for details on how to securely submit a report.

19 Signals policies are open source, licensed under CC BY 4.0. Adapted from the Basecamp open-source policies / CC BY 4.0.