Fanout's security program includes safeguards that help protect your data as it moves through the Fanout Cloud service. Information about these safeguards is organized by category.
Authentication and authorization
User account assignment. We assign individual user accounts to personnel who access Fanout systems and devices. These assignments help us monitor and enforce accountability of user activity.
User-level privileges. Our systems and devices enforce user roles or similar measures to control the extent of access we grant individual users.
Secure software development. Developer code undergoes peer review prior to deployment, and internal security engineers periodically analyze code for software components with higher potential security risk.
Network and infrastructure security
Configuration standards. We document and follow configuration standards to maintain secure systems and network devices. These standards include business justification for used ports, protocols, and services, as well as the removal of insecure default settings.
Vulnerability and patch management. We schedule and deploy vendor-provided patches on a regular basis.
Secure data transmission. The Fanout Cloud service supports TLS configurations to encrypt connections both externally to end users and backend origin servers, as well as internally within the Fanout network.
Business continuity and operational resilience
Service monitoring. We monitor multiple internal and external reporting channels to detect service-related issues. Personnel are available 24x7x365 to confirm and respond to disruptions of the Fanout Cloud service.
Communication and reporting. We update impacted customers using various communication methods (such as status.fanout.io, depending on an incident's scope and severity.
Customer and end user data management
Configuration data. We may directly access or modify customer accounts or configurations to provide our services, prevent or address service or technical issues, as required by law, or as customers expressly permit. For the same reasons, we may also access or modify equipment, systems, or services that manage customer content.
Client IP addresses. As part of our network's general interaction with the Internet, Fanout independently collects anonymized and aggregated client IP address information on a limited basis to provide and improve its services. Client IP addresses are retained in a non-anonymized, non-aggregated fashion for up to seven business days, and are discarded thereafter.
IP addresses and security monitoring. Fanout may retain indefinitely any non-anonymized, non-aggregated client IP addresses associated with suspicious activity that may pose a risk to the Fanout network or our customers, or that are associated with administrative connections to the Fanout Cloud service.
Content request data and message data. Content enters, transits, and departs our network in response to client requests and as a result of publishing messages via our API. We retain and use data about the operation and reliability of our processing of requests and messages to monitor, maintain, and improve our services, our business operations, and our security and compliance programs. Subject to confidentiality obligations to our customers, we only disclose this data in anonymized and aggregated form.