Last updated July 24th, 2020. Previous versions and the change history is available here.
This document outlines Bike Index’s IT security recommendations, our expectations for security research, what we do to protect against data loss and downtime, and what we will do in the case of a breach.
All persons accessing Bike Index hosting tools access the tools from their own accounts. We require multi-factor authentication for all services that offer it. All individuals with access to hosting tools must use a password manager and use separate passwords for each service.
We automate fixes for operating system CVEs and web framework CVEs on the Bike Index webapp, to ensure applicable fixes are live as quickly as possible.
All Bike Index data is encrypted both at rest and in transmission, using industry standard encryption.
To protect our customers’ privacy, Bike Index only collects the minimum information required to provide the service and tools we offer.
Bike Index does not store healthcare or credit card information and therefore PCI and HIPAA compliance are not necessary.
Bike Index complies with all applicable legal and regulatory requirements for data protection, security and privacy for the services that we provide.
We limit and control access to each organization account. Unauthorized access to organizational and user data is strictly prohibited.
Bike Index is primarily an open source project and we welcome responsible security testing and vulnerability disclosure. If your report contains sensitive data, please contact seth@bikeindex.org (preferably using this GPG key).
-----BEGIN PGP PUBLIC KEY BLOCK----- mQINBFSkF4IBEADUTE4p14fU0aseC5bqYmO3Se04lxCiGXQgrX97GRUD/9VnvLq4 sOZ4Nj870Zbkp9BcpWr/0bwaVWPnqkfPsYac3rqD2TeTSwYfq/BGpHPwGBk5+zn7 TQADPs1rkb8DL+JEFTBPDzoZA/AxOuUD5bBvaQRKSvi4LekWix47NWlwn7tDrs3s WFMOau3DK7bj3OXtZtLLBMA/IS/sTX2k7a+FdDsxsrNrFXmoe7cf9hDy7bOq8kNs oPIYKUsJTRnNh/6qU+qxziraFOGO45VyEp1j3AblqA/UiXtlY89giAgG2EJLJQPv 42FMHX/8bbL23qQ57Cw2AVjlBapYNnHtzW3Uz9JmfH+JHc9YvJEErj3XZWyq7pJt bwGxuh+KyXfXm3gz+rgujbZYDF19vl/lr9ujefMof1sIM+brW4bameZ+t+mr6k8V XtLnXjcqiwCZD/LYcl5KT5o5gxmsKNp/dktz8+u0tdssucM57CAUL9z2WSbhyyoA zrmpzWL1CyOvmBT6mnMKhF4bfUh5GDrkvJOQSQM7BN1Y+9J/Pt5qrRL+Zr6l2Ny1 +cfMtgYPbYZD3Qfx5RbpE7wVshvoaqF4slnJ7NZHTINRPJNWnZ4EsoysbHq++H3v tAMd24jNguVIXlJvkwS5a1165ajf4YawVSgNHO5xOB6RhAoQK69izhV5pQARAQAB tB5TZXRoIEhlcnIgPHNldGhAYmlrZWluZGV4Lm9yZz6JAlQEEwEKAD4CGwMFCwkI BwMFFQoJCAsFFgIDAQACHgECF4AWIQTMmUKkCwBFCFBqQGXe0SSTxIiRgwUCXxtT ZgUJFLEOZAAKCRDe0SSTxIiRg9vZEACHOE/gBIiFAQm6vzv9/pfFZm29f//qaUBL A6xIY5+D7sXntlzk75Q3oVYJev3pgnHMW9HSQQy3YYbUgMWU4hMTUxWCwcnajb/h cgAMQqstFhlutOiodYPaLrGzFTHneRbHhP69J8m4zFWmyTKLviAb6Rgm2J71skRS Ch8gIjOm2CVv/7k9FKI4CXFoFDU6zczRh4RVK219PbRzHOfRQRnRSAu7jqjVkUIl Eown2F2zQ11c9KVM2+oksMIwK0DRM234ZqbAQXm0pl/H0aqf/wbeVk+BacEQscyO /yqhehgG/x0W0LBQiS90lYOjcETiNIEZ43ToX1nF0HtjHZMi9xEk8BoPvL1J6Q48 hORTzMPXlFr9iDOtvIVMa30VviY1oYgqiIk1I5NWLId9H6xJ4e9GB78cpYWXzVv1 1w2JIDnt23EYzMDC9PwGa4NPapD4Qdqz3ToJe7g4JPAuVu5Um0LqiFwPAYFlMNrG 8ENvC88Q7xTNeK2phr8IaXkb7p4qm+Dq/4CAOPqMKilpEFY+NKC0Vi7DxXYEUktG YXp84qwWzwRS0b2AgccIY18walojdt3Ryb6vRH9kntAiTPQoCu5Z75LlvEPBd+TE KmiyhDpOt92IpGhyhN/OvwbmsACUcvDcsw3fGeaORNLv94/CgvZIMpyPL0aSka90 lLgUj+6zjbkCDQRUpBeCARAAoPZ7sIwjbKAJZB5FI3/lfHnPwQbLH/f2eq7ZbKC3 9Nporrya9TLMiFAeEm+b+Hyyl6di7ZAAzvXD8+g5yZNEnq9b+pnDr7eS8+qcwEL9 KuMHXgB7AA3zBd98y25KXiDMT7DxVXML1VeUQJvGV6BF17w2QVn8SiNytx11zlHb sDkYaqPl6KSAzXusYVFu2AeeXbyvBDKTZHqfZMIieygzJt9u7DB+Snqs2ku3+Oto 6zepFzIELcYcyGf5Pw+UKBCdOImpD9uThl21tbTryuWynAJYslcj+xScXZJP5nVg Aw4DCSRQxZ2UwwEU9uRD+mjXpnJk3PBRmB26WvZhEQlrxZV4l5AJRHu/xh8gxEA0 nA3l1eTwqEryVbOwTthTY993+FHmK/opzfpU+gm5VGOj6FQ65chx/5DhlUcIJHFu uFqRVjxEEGaRb28oQhD+nq+Rbbr8mFj07oCM2pq0b5aTQtX2kpz+qulJAQK92aEP 2uvim4cqxNo/z+sj2xFH9eKaWrZ9tJ3UVv7WmqDwe8WcYrBt72d3PJZ8JFUUa9iD XW/QaMtj6m+FByI3FotRPu+mqZNBHFwDegB849U4nTU8rIXKI7xoESkiN+4ATQg5 7+bc5r2mBuapgW102B481lJnj4CcoEJtbyVgMM2WIxZvdk+Yk0h2o/LIZHb2hVUD O+UAEQEAAYkCJQQYAQoADwUCVKQXggIbDAUJC0nYAAAKCRDe0SSTxIiRg1a/EACg JK7EP/vrBp/lc3UjXB+L5hRZiyF4+gAXdk8vhgKlWqdV8F1NqFnjm+3VUU8a1Zi/ WVkbcgMz8mZAMViXSdCMHZcjO9YBMnWOM8RyZUm98pizl4u/3qCoqBbcpPy1qs2B 7UdjKSC9yBLw6F80vC4AfCVm9WJtua4i8WzA7UPd2zmIDhqMW2j0B1WcOpSn8wP4 FArH9mf7wxHM0TXMiNHlFVlspbhDfKmupQ+/Dcrno00aC63qqzVQHIcloaWXgihM PIRacOZZMzhKEhD73FBvZRua5f2sVprrO5dR/LqYVzGzFSWScm6BDjIgGoxaxDSv 8M7N4Z986efIAJeo0eEmcCmylqUNJG34X1vn+xA4OEogJ8HpJ2c5y0g4K/iBFiOT +iP+AzrJOhE1xRti4OPEo4Rr/FFmf8DT0p6uHhPtjHXl0r7xIT7oZXfNh3lRyyrD twN9axSn2YtNQKCWJQjQ9HmbRw3DRvL9uJecmb7jXV1fcHINMCVb9zZa/okadvRl oin3sYur+n/DamrA764DfUPJjq5YGTge9tW4X8Ag2r47gjoSlhaYUxXD05SEx65Q ZSzCdnWXFxXEHICVRCjiICIDFld8EpvX+Cg4e7GqXzmmbpmp1n2nydjzlwidwr5h 0HL2Gzabu1fvELj3DTpg9YtwHNE42zCSe4Atqfgt8A== =+oNO -----END PGP PUBLIC KEY BLOCK-----
When researching, please don't: Spam us, DOS or DDOS us or social engineer (including phishing) our staff or contractors.
Bike Index backs up its database hourly and daily and stores the encrypted backups on a secure system, separate from our application servers.
Bike Index is hosted on virtualized servers in the cloud. We have failover systems prepared and the ability to redeploy a cloned version of the service using our database backups, to ensure that even in the case of a total server loss, recovery is easily possible. We historically have provided 99.9% uptime and strive to maintain 99.9% in any given month period.
If Bike Index discovers a breach or exposure, we will analyze the breach or exposure to determine the root cause. Bike Index will then work with the appropriate parties to remediate the root cause of the breach or exposure. Once the root cause has been resolved, we will individually contact any affected parties and will publicly share what happened and what we can do to prevent similar events in the future.
Questions about the Terms of Service should be sent to contact@bikeindex.org.