All data on the Geocodio platform, is transferred securely via HTTPS, ensuring that it is always encrypted in transit. This includes uploaded spreadsheets as well as access to our API. Customers may, however, explicitly decide to use the non-HTTPS API endpoint. Uploaded spreadsheets are encrypted at rest using AES256, and can be permanently deleted at any time.
On our standard platform, some API requests may be logged to disk in plain text. Need full encryption at rest? See (#hipaa-compliant-geocoding)
Geocodio utilizes redundant, physical, dedicated servers and are not sharing hardware resources with other companies. We use state-of-the-art data centers with strict security such as electronic access controls, high security perimeters and 24/7 video monitoring of access routes, entrances, server rooms and more. Our infrastructure is distributed across multiple physical data centers, operated for full redundancy. Read more about how we ensure high availability.
We use automation and monitoring best-practices to ensure that all internal and external services receive ongoing security patches to protect against vulnerabilities. We utilize the principle of least privilege to limit our attack surface as much as possible, including addition of strict firewall and permission rules and utilizing internally-routed network traffic whenever it is possible. A third party company is contracted to conduct ongoing security scans, including port and vulnerability scans of all of our external networks.
All accounts include an audit log that tracks time/date, IP address, action taken, and email address. If you have a Geocodio account, you can see your audit log here. If you're working with a team, we encourage you to create a Team Account so you can control access to your organization's data and add/delete users. We understand that user security is important to organizations large and small, so there is no additional cost to create a Team Account. If you already have a Geocodio account, you can create a Team Account here. You can delete your account at any time via the dashboard.
For particularly sensitive data, we have designed a HIPAA-compliant version of our product that includes even stricter access controls, and is located in a US-based HIPAA and SOC 2 compliant data center.
This plan is designed for health organizations, but is used by other organizations with the highest data protection concerns.
If your organization requires a BAA, please see our HIPAA-compliant version.