Retail-Secure Security

Data Storage Security

We at Retail-secure(formerly MobiLock) take customer Data Security very seriously and have implemented a list of measures and a set of protocols to further safeguard and protect data. The following rules are some high-level mechanisms that have been implemented across the systems:

Passwords: All login passwords are hashed using BCrypt (one way hashing) and then stored in the database. For best results we advise users to choose at least 20 character password and also use a Password Manager.
Login Security: We further protect your login from brute-force attempts with rate limiting.
Wifi-Passwords: Wifi passwords and PEAP credentials are stored encrypted in the database.
Logging: Passwords and other sensitive tokens are excluded from all system logs.
Archiving: Old GPS and location records are archived and then later purged after a certain threshold, if you want your location data to be preserved for certain duration due to regulatory compliance in your country then please inform us upfront so that we can have a rule in place for your data.
Analytics: Analytics tools have “IP anonymization” in place to protect user’s privacy.
Data Centers: Retail-secure(formerly MobiLock) leverages multiple cloud services to store and manage its data. The data centers are located in Ireland, Netherlands, Germany and United States, in future new data centers may be added / removed / relocated. But there will always be an EU data center to serve EU customers and their data will always be stored in data centers located in EU.
Backups: All backups are encrypted and stored in long term storage. Backups are managed through Lifecycle policies which will automatically purge them after certain age.
CDN or Content Delivery Network: The Retail-secure(formerly MobiLock) Enterprise Store leverages Amazon CloudFront as a CDN to quickly distribute uploaded APKs to devices as a mechanism to reduce load on our servers, this may require replication of the file across multiple edge servers.
Assets: Uploaded APKs and Images are stored in Amazon S3
HTTPS: All the requests are served using HTTPS, we leverage Certificate Pinning(in some cases) and also use Perfect Forward Secrecy. We also ensure to have CAA records for our domains to prevent certificate mis-issue.

We take special care in sanitising user input to avoid XSS or Cross-site scripting issues, in general as we do not deal with a lot of user generated content so the attack surface is relatively small.

Payment or Credit Card Data

Your payment or Credit Card information is not stored on our servers, we leverage Stripe to process the payments for our customers. They are a PCI Service Provider Level 1 certified payment processor and it is one of the most stringent level of certification available in the payments industry. Learn more about Stripe’s security here