The security of your data is of the utmost importance to us. If you have any questions regarding our security policies or infrastructure, please don't hesitate to get in touch.


Our servers are located in top-security Amazon data centers, and have been validated as providing Level 1 service under the Payment Card Industry (PCI) Data Security Standard (DSS), as well as being compliant with ISO 27001 security practices. See the AWS compliance documentation for more details.

Our servers are located in geographically diverse locations across the United States and the European Union, to provide redundancy in the case that a particular region experiences downtime. We strive to remove any single points of failure and provide a robust, high-availability system.

User authentication is performed using Heroku OAuth. We do not store (and will never ask for) password information. See the Heroku Oauth documentation for more details.

Payment processing is performed by Stripe, who have been validated as providing Level 1 service under the Payment Card Industry (PCI) Data Security Standard (DSS). We do not (and will never) store your credit card information on our systems. See the Stripe security documentation for more details.


All connections to and from Dynomatic servers are performed over SSL/TLS, and are protected by 256-bit encryption. All sensitive data in our database (such as Oauth tokens) is encrypted using the AES256-GCM algorithm before being written to the database. All data is encrypted at rest.


Dynomatic provides a PGP key in order to encrypt your communications with us, or verify signed messages that you receive from us. See the PGP key page for more information.

If you’re unfamiliar with PGP, check out GPG, and start by importing a public key.


We treat all user-submitted data as potentially hostile, and sanitize data to prevent XSS and injection attacks.

We follow the twelve-factor app methodology to assist with portability and ease of scaling.

We use both internal and 3rd-party services to monitor our systems around the clock, which alert operations staff intantly in the event of downtime or reduced availability.

Development, staging and production environments are completely isolated from each other, and share no data or infrastructure.

We operate all systems under the principle of least privilege, and restrict access unless absolutely necessary.

All system configuration and updates are performed using industry standard configuration management tools, which provide repeatable, error-free deployments, and allow for easy updates in the case of security alerts and vulnerability announcements.

Data integrity

Customer data is only accessible by a small, select group of screened employees. These employees do not access customer data as part of normal day-to-day operations. They may access data at the customer's request in order to provide support, or when required to by law.

Application data is backed up daily, and backups are preserved for 25 days. We have a well-tested process in place for restoring from these backups in the case of failure.

All application metric data is stored in redundant clusters across multiple availability zones. The system is resilient to the failure of individual nodes in the cluster.


Any scheduled maintenance or planned downtime will be announced as far ahead of time as possible on our status page at Please subscribe to email updates at the status site to receive the latest information.

We use both internal and 3rd-party services for monitoring the health of all critical services, which allow us to respond within minutes of downtime or reduced availability.

A Service Level Agreement is available on request for Enterprise customers.

Ready to get started? Install the addon in under a minute.

Sign Up For Free