Security

We know how critical your data is to you and that you rely on Appwrite services. We run our production servers from the cloud as well, and so security is at the forefront of our thoughts as it is yours.

Last updated: May 2017

Need to Report a Vulnerability?

Please email us directly at: security@appwrite.io.

Responsible Disclosure: We would like to keep Appwrite safe and secure for everyone. If you have discovered a security vulnerability we would greatly appreciate your help in disclosing it to us in a responsible manner.

Publicly disclosing a vulnerability can put the entire Appwrite community at risk. If you have discovered a possible vulnerability we would greatly appreciate you emailing us at security@appwrite.io. We will work with you to assess and understand the scope of the issue and fully address any concerns. Any emails are immediately sent to our engineering staff to ensure that issues are addressed rapidly. Any security emails are treated with the highest priority as the safety and security of our service is our primary concern.

Physical Security

We use only premier datacenter facilities for colocating our equipment. Each site is staffed 24/7/365 with onsite security to protect against unauthorized entry. Each site has security cameras that monitor both the facility premises as well as each area of the datacenter internally. There are biometric readers for access as well as at least two factor authentication to gain access to the building. Each facility is unmarked so as not to draw any additional attention from the outside and adheres to strict local and federal government standards. Learn more about our data center security

System Security

Our operations team runs a regular patch updated on both OS and 3rd party tools and open source. System installation are using hardened, patched OS. We are constantly monitoring for any security issues with our stack. Every major issue is being prioritized and patched immediately.

Software Security

We employ a team of 24/7 server specialists at Appwrite to keep our software and its dependencies up to date eliminating potential security vulnerabilities. We employ a wide range of monitoring solutions for preventing and eliminating attacks to the platform.

Email Security

Appwrite supports TLS encryption on all inbound and outbound email. For an explanation of how email encryption works, we recommend this overview from Google.

Communications

All communications with Appwrite are transmitted over TLS (HTTPS) for both access to the Control Panel as well as the API and in our internal network.

File System and Backups

All user's data on Appwrite platform is backed up on a regular bases. Every line of code we store is saved on a minimum of three different servers, including an off-site backup. We do not retroactively remove data from backups when deleted by the user, as we may need to restore it for the user if it was removed or damaged accidentally.

We do not encrypt data on disk because it would not be any more secure: the console and API would need to decrypt the data on demand, slowing down response times. Any user with shell access to the file system would have access to the decryption routine, thus negating any security it provides. Therefore, we focus on making our servers and network as secure as possible.

Employee Access

No Appwrite employees ever access users account unless required to for support reasons. Staff working directly with storage access compressed version of your data, your files are never present as plain text.

Support staff may sign into your account to access settings related to your support issue this will only be done with your consent.

When working a support issue we do our best to respect your privacy as much as possible, we only access the files and settings needed to resolve your issue. All staff actions on your account are being audited and monitored by our security team.

Maintaining Security

We protect your login from brute force attacks with rate limiting. All passwords and API keys are filtered from all our logs and are one-way encrypted in the database using bcrypt. Login information is always sent over TLS.

We also maintain relationships with reputable security firms and consultants to perform regular penetration tests and ongoing audits of Appwrite services and its source code.

Credit Card Safety

When you sign up for a paid account on Appwrite, we do not store any of your card information on our servers. It's handed off to PayPal Payment who comply with PCI standards in the storage and handling of credit card information, for more information about PayPal security please visit PayPal security center.

Contact Us

Have a question, concern, or comment about Appwrite security? Please contact Appwrite Support team@appwrite.io.