Figures Logo
Privacy is at the core of what we do. A GDPR-compliant Data Protection Agreement is signed between Figures and every participant. Anonymous data is being collected, stored (in Europe) and processed in accordance with GDPR regulation. Your data is safe with us.To know more, have a look at our privacy policy.

Cloud

Our servers are hosted by Digital Ocean in Amsterdam.

They have the following certifications : SOC 1, SOC 2, PCI-DSS, ISO/IEC 27001:2013.

Servers

Our servers enforce HTTPS with TLS 1.2 / AES 256, the best market standard.

All ports are blocked except 80/443. Servers are only accessible through SSH via a VPN and strong authentication.

Storage

All of your private data is stored on a Postgres database that's never accessible from the outside world. Sensitive employee / company data never leaves the database to third party services.

We use Amplitude to track product usage & analytics. Data sent to Amplitude never contains any personal data.

Accounts

Figures uses Google Workspace or Microsoft 365 for authentication. We do not use passwords, which greatly reduces the probability of account takeover.

We strongly recommend you to enforce Two-Factor authentication on your Google or Microsoft accounts.

Company administrators have full access to who they decide to grant access to the tool. Moreover, you can used fine grained permissions to only grant access to specific job families or level to your team members.

Software

Our codebase contains an extensive test suite that has a major focus on security.

Continuous integration is setup to prevent any failing build to reach production.

All of our data endpoints are protected by rate-limit throttling to prevent brute force attacks and denial of service.

Roadmap

September 2021: we're currently in contact with several companies to perform penetration testing and security audits on our systems. We'll publish the reports as soon as they're available.

End of 2021: we'd like to setup a bug bounty program to get continuous security monitoring.