Specific security

Our approach to security is site-specific and strong. 2FA, encryption, and limited access.






Summary

  • Two-factor authentication (2FA)
  • Encryption at-rest and in-transit
  • Send emails using TLS
  • Employee access is limited to none


1. We require 2FA

Two-factor authentication, commonly referred to as 2FA, is a small step for effort and a giant leap for security.

With 2FA, your account is protected even if someone else has access to your current username and password — the "first factor" of your account security.

There are multiple methods for implementing 2FA, and you may have even seen it referred to as multiple-factor authentication (MFA) for this reason, but not every method is as secure as it should be (*cough* text message or email *cough*).

The Grid uses the industry standard TOTP protocol and the even more robust U2F approach. We give you the choice of either.

We distinguish between TOTP and U2F as software and hardware authentication, respectively.

TOTP is implemented and used by numerous authenticator apps, such as Microsoft Authenticator or the one included in a password manager like 1Password.

U2F is implemented on our system using a YubiCo hardware key known as a YubiKey.


2. Encryption at-rest and in-transit

All website data is encrypted by the industry standard HTTPS and HSTS protocols — you are also protected from clickjacking, cross-site request forgery, and sniffing attacks while on our site.

All sensitive data is encrypted before it is stored in our databases, preventing someone with access to our system from seeing your information. This currently includes your name and firm information (work email, bio, phone, website). Your username is not currently encrypted as it would prevent our ability to log you in.

Your account password is protected by an irreversible algorithm from the moment it's created. We can never access, see, read, or know your account password. If you forget your password, then you will have to create a new one using our password reset system.

We also created a decoupled UUID for job posts, to allow for readability in the browser address bar without revealing sensitive system information.

This means that your job post will always have a unique ID associated with it, but is not indicative of your firm's job inventory nor our database structure.


3. We send emails using TLS

Emails are leaky. There is never a guarantee that your email or an email sent to you will be delivered encrypted the whole way.

We use the industry standard TLS protocol to ensure greater odds that your email will be delivered encrypted the whole way.


4. Employee access is limited to none

Only our founders have access to your account information and we take that responsibility seriously. We have designed our system to collect the minimum amount of information that allows us to verify our users and thus maintain the quality of our site's job postings.

What does that mean? That means that the information we have access to is your username, first name, last name, company phone number, company email address, and company website. This information is used to verify your account. If, and when, we figure out how to verify your account with less information, then we will happily update our system to do so. You can read more about it on our privacy page.

In the future, when we have more employees, we will implement an audit process to maintain our limited employee access policy, and we'll share the details of that process here.