Security
Security & Compliance
We take security seriously. Our platform leverages industry-leading infrastructure and security practices to protect your data.
Shared Responsibility Model
Sembley follows the industry-standard Shared Responsibility Model, which outlines how security duties are divided between our hosting provider and our application. Heroku is responsible for securing the platform infrastructure, including the systems and services that run our application.
Sembley is responsible for the security of our application itself, including how we build features, manage authentication and access controls, and handle user data within the product. This model is widely adopted because it clearly separates responsibilities and helps ensure strong, consistent security across every layer of the system.
Compliance Standards
Heroku maintains compliance with industry-leading security and data protection standards. In addition to Heroku's security measures, we implement authentication and access control using Rails and Devise-JWT to ensure secure handling of user data. Heroku has obtained the following certifications:
ISO/IEC 27001
Information security management system certification.
ISO/IEC 27017 & 27018
Security controls for cloud services and protection of personal data.
SOC 1, SOC 2, & SOC 3
Reports on controls relevant to security, availability, processing integrity, confidentiality, and privacy.
PCI-DSS
Compliance with the Payment Card Industry Data Security Standard for handling payment information.
Heroku undergoes regular third-party audits to maintain these certifications.
Infrastructure Security
Heroku provides the following security measures:
Data Encryption
All data in transit is encrypted using TLS. Heroku Postgres databases support encryption at rest.
Access Controls
Heroku requires multi-factor authentication (MFA) for admin access and offers role-based access controls.
Network Security
Heroku isolates customer applications using Private Spaces and applies strict firewall rules.
Logging and Monitoring
Heroku provides logging and monitoring tools for auditing and security event tracking.
Application-Level Security
We use Ruby on Rails as our web application framework and implement authentication using Devise-JWT, which enables secure, token-based authentication. This ensures that sensitive user data is protected during authentication and authorization processes.
Ruby on Rails Devise-JWT
Internal Protocols
While Heroku is responsible for securing its infrastructure, we are responsible for securing our applications and managing access controls. This includes:
Implementing authentication and authorization with Devise-JWT for secure, token-based access.
Enforcing best practices for API security and data protection in our Rails application.
Regularly reviewing and updating security configurations to mitigate risks.