Security

We at Once I've Gone take security very seriously. It underpins how our product is designed and implemented, and the policies we have in place for maintaining that security.

Passwords

You might be wondering why we require passwords of 10 characters or more, and why we don't enforce other "standard" password composition rules. Firstly, requiring users have a password of 10 characters or more dramatically increases the security of that password.[1] Secondly, password composition rules just don't work, they make it harder for users to create and remember and often result in less secure passwords.[2]

Encryption

Your information is encrypted and stored using industry leading technology. All communications with Once I've Gone - when you load a page, upload documents or submit a form - are protected by 2048-bit SSL certificate encryption. When we store you data, at rest, everything is encrypted using 256-bit AES encryption, one of the strongest block ciphers available.[3]

Where is my data stored?

For redundancy purposes your data is securely replicated to two different geographic locations around the world. This ensures that should something happen to the data stored in one location, your data can be recovered from another. This replicated data is secured and stored in the same way as the primary data, and governed by the same rigorous security protocols.

Operational security

At Once I've Gone we follow a strict set of processes and protocols to safeguard your data and ensure that no one has access to your data but you. Once I've Gone employees are not able to access your data and we do not share or sell your data to any other party.

References

  1. Coding Horror - Password rules are [not great]
  2. United States National Institute for Standards and Technology (NIST) guidelines for password policies
  3. Advanced Encryption Standard (AES)