Memberful Security
We take security seriously. This document outlines the measures we take to protect you and your customers when you use Memberful.
We don't store credit card data.
We don't store credit card data on our servers. All payment processing is handled by Stripe, a certified Level 1 PCI Service Provider (the most stringent level of certification available). When credit card data is submitted via Memberful it is sent directly to Stripe via JavaScript over a secure SSL connection. The payment data never touches our servers. We use Stripe's latest technology to support SCA and 3D Secure 2.0.
We use SSL everywhere.
We force HTTPS on our website and across our application. This creates a secure connection between client and server and protects all the data transmitted over the connection.
We host in a secure environment.
Memberful runs on AWS (Amazon Web Services) via Heroku. AWS utilizes state-of-the art electronic surveillance and multi-factor access control systems. Data centers are staffed 24x7 by trained security guards, and access is authorized strictly on a least privileged basis. Multiple geographic regions allow them to remain resilient in the face of most failure modes, including natural disasters or system failures.
We keep backups in multiple availability zones.
Our database is replicated in real time to a high-availability standby in another (AWS EC2) Availability Zone. If our primary database fails, it is automatically replaced with the standby. The database is also continuously backed up (by Heroku) to S3, using a Postgres feature called WAL files; those S3 files are replicated across Availability Zones for 11 9's of durability.
Responsible disclosure
Memberful maintains a public bug bounty program with the assistance of Bugcrowd. Valid and in-scope reports might be eligible for a payment. We rapidly investigate all reported security issues.
If you've discovered a security bug, you can submit a detailed report to Memberful via Bugcrowd. We request that you not publicly disclose the issue until we can address it.