Last updated: December 20, 2022
Watershed supports Single Sign-On authentication via Google Workspace, SAML, or OpenID Connect. Other authentication options include Magic Link authentication via email and password authentication, although we recommend SSO. When we do store passwords, we use PBKDF2 hashes, and a per-password 32 byte salt generated using a Cryptographically Secure Pseudo-Random Number Generator.
We encrypt data both in transit and at rest. We use TLS 1.2+ to secure HTTP traffic, and AES-256 to encrypt data at rest in Google Cloud Storage.
We maintain audit logs for our infrastructure and for key actions within the Watershed product. Customers can access product audit logs for their organization via our API. Our logs are structured, and are retained for at least 30 days.
We consider security risks and tradeoffs from the beginning of the requirements definition and design process, through to implementation, deployment, and operations. We review for security concerns during our code review and pull request process, and we use automated scanners to detect vulnerabilities in open source dependencies.
We engage an outside firm to conduct penetration tests twice annually to test the security of our web application and cloud infrastructure. We are currently working with an independent auditor to complete our SOC 2 report.
Monitoring and alerting
We use a variety of tools for performance monitoring and error logging across our web application, data services, and background jobs. Alerts are configured to go to the appropriate on-call engineers.
Responsible disclosure policy
If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at firstname.lastname@example.org. We will acknowledge your email within one week.
Please provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Watershed service. Please only interact with accounts you own or for which you have explicit permission from the account holder.
While researching, we’d like you to refrain from:
- Denial-of-Service (DoS)
- Social engineering or phishing of Watershed employees or contractors
- Any attacks against Watershed’s physical property or data centers