Security
Trust Count to keep your data secure
Ensuring our users not only have easier access to their data but that it is always secure and in their control is at the core of Count's design. We pride ourselves on having world-leading technology and this includes the security measures we put into Count and the procedures which describe how we work as a team.
Meet your compliance requirements
Security and trust are integral at Count. We have achieved audit certification for Service Organization Controls (SOC 2) Type II, with a focus on the Security trust service criterion. This ensures our business and technology controls are independently audited annually. Please view our Trust Services Report, or contact [email protected] for more information on our SOC 2 Audit report.
Security Program Highlights
User privacy, integrity, and authentication
- HTTPS & SSL/TLS - Count requires all user communication to be through HTTPS (Hypertext Transfer Protocol Secure) using TLS (v1.2 and above). This ensures privacy, integrity, and authentication for all traffic to/from our website. We additionally employ HSTS to protect against potential downgrade attacks.
- Cross site request forgery tokens - We verify CSRF tokens at every point to make sure your data can't be tampered with by malicious 3rd parties.
- No passwords - We require users to authenticate using magic links or Google Auth. This means we never store their passwords and organisations can safely control their employees' access to Count. It also allows organisations to use and control two-factor authentication by default.
Database connections
- Secure credentials - You connect your database to Count by entering your SSH or database credentials. These are kept strictly private and are securely encrypted using industry standard 128-bit AES Encryption.
- Read-only by default - By default all connections to your database use read-only transactions, meaning your database tables can never be altered by Count. You can optionally provide Count with access to its own database schema where it can create materialised tables but these cannot conflict with your native database tables.
- You remain in control of your data - By default we do not copy or replicate your database data on our servers. Count sends SQL queries to your database and routes the results to the client using a buffering cache. For database intensive queries, or query results you want saved as snapshots in time, we provide secure caching options, where the results of those queries are saved to a private bucket, encrypted at rest, and are retained only for as long as you need them.
- Load protection - In addition to database query result caching, we have a number of measures to protect your database from too much traffic. For example, we limit the number of rows returned by the database, allow users to toggle off cell auto-updates and have a default query timeout to stop database lockup.
Our servers
- EU servers - All Count's servers are all based in the EU, hosted by Google Cloud Platform. Access to our servers is protected through two-factor authentication, and access is only given to a select number of Count employees.
- Encrypted at rest - All the user information stored on our servers is automatically encrypted at rest.
- Firewall - Our servers are private, meaning they are closed to all connections except those explicitly allowed by us.
- Rate limiting - We limit the number of requests we can receive by a user to guarantee uptime to our customers and prevent DoS (denial of service) attacks.
- Web Application Firewall - Our website, application and APIs are protected behind Cloudflare's global network and WAF capabilities, helping us to filter and monitor traffic from the internet.
- Uptime and monitoring - We actively monitor our service status and our development team is immediately alerted if any issues occur. We alert users in advance of impending maintenance work on our site. Click here to check our service status.
Development process
- Automated security checks on build - We have automated safeguards in place to check our code and hosting environments for potential issues before anything goes live.
- Penetration testing — We commission a CREST certified Penetration Testing Company to run tests on our systems annually to ensure there are no doors open to a malicious 3rd party to access.
- Code reviews and standards - We draw on industry experience both internal and external to ensure our code is readable, maintainable and free from security vulnerabilities.
Customer data procedures
- GDPR — We offer organisations a data protection agreement (DPA) as they sign up to Count so they can be GDPR compliant with Count acting as a data processor for them. You can see our DPA here.
- Strict employee confidentiality — All our employees are required to sign an extremely strict confidentiality agreement before they are allowed any interaction with customer information.
- Customer data — We place very strict controls over our team's access to customer data. Only a very small number of Count employees are allowed access to customer data and only for the purpose of helping customers when requested for support purposes. We require written permission before we can do this. We maintain logs of all users who access customer data.
Data access controls
In addition to the security procedures above, the Count platform has a number of internal features to help users manage data access across their team:
- Each workspace has at least one Owner who has complete control over the workspace including billing, which individuals can access the workspace and what those individuals can access.
- The workspace contains a number of database connections as defined by the owner and any workspace admins they specify.
- Admins can define which database connections other users can access within their projects.
Additional Security features
- Security policies - Count has developed a comprehensive set of security policies covering a range of topics, including Access Management, Disaster Recovery and Business Continuity, Incident Response and Risk Management. These policies are updated frequently and all employees and contractors must agree to them annually. Access to some of our policies can be requested on our Trust Services Report.
- Security training - All Count employees and contractors must complete security training at least annually.
- Employee background checks - Count performs background checks on all new employees and contractors in accordance with local laws.
- Employee laptop checks - All Count employee laptops are monitored remotely to ensure compliance with our security procedures, including checks on installed operating system version, antivirus software status, password manager usage and hard-drive encryption.
- PCI - All payments made to Count go through our payment partner, Stripe. See Stripe's security page for details on their security and PCI compliancy.
Legal documents
Our Terms of Use and Privacy Policy provide further information on our legal obligations to our users.