At Harmony Lists, protecting customer data is a top priority. We take the responsibility of securing it very seriously.

Infrastructure

System Architecture

Harmony Lists’ architecture is built to be secure and reliable. API access is done at the local level using an API key that is protected from public access. Communications to and from our Mailman servers occur over secure channels: SFTP, SSH, and SSL.

Data Centers

Our applications are hosted by Linode with the following certifications:

SOC 1 Type 2
SOC 2 Type 2
HIPAA Type 1
HITECH
PCI DSS

For more information, please see the relevant Linode security page:

Linode

PCI DSS

Harmony Lists’ payment and card information is handled by Authorize.net, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the credit card payment industry. Harmony Lists does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.

Site Continuity and Disaster Recovery

Harmony Lists’ architecture is built with fault tolerant capability. Any cloud server environment that is detected as failing will initiate a migration mechanism that will move the failing cloud server to a more reliable and stable hypervisor environment.

Firewall and Encryption

Our servers are protected by firewalls and malware scanners. All Harmony Lists web traffic is served over HTTPS. We force HTTPS for all web resources.

Our SMTP servers support upgrading connections to TLS encryption.

Environments

Harmony Lists retains development and testing systems that are fully isolated from the production environment.

Data

Harmony Lists takes data security seriously.

Subscribers to the Harmony List service can use their own “Private Domain” (e.g. something akin to yourCompanyQATesting.com). Emails sent to a Subscriber’s private domain are subject to the per list settings of said subscriber.

Harmony Lists also provides the use of their domain name via the use of a sub-domain (e.g. list.harmonylists.com) for subscribers. Emails sent to a sub-domain of harmonylists.com are subject to the per list settings of said subscribers.

Data Storage

Harmony Lists data stores are accessible only by servers that require access.

Backups

Harmony Lists conducts backups on a daily, weekly, and monthly basis via server wide snapshots. Snapshots are retained for one month.

Logs

All sensitive information (including passwords, API keys, etc) is filtered from all server logs. Subscriber activity is logged and kept for 3 weeks. No user activity is logged in the Harmony Lists Public system.