Data Security

Sell.Do takes the protection and security of its customers' data very seriously. Sell.Do manages the security of its application and customers' data. However, provision and and access management of individual accounts is at the discretion of businesses that own them. The Sell.Do development team has no access to data on production servers.

Sell.Do takes the integrity and protection of customers' data very seriously. We maintain history of two kinds of data: application logs from the system, and application and customers' data. All data is stored in Rackspace's state of the art cloud computing platform, Objectrocket.

Application logs are maintained for a duration of 21 days.


1. Data Deletion

When an account is deleted, all associated data is destroyed within 7 business days. Sell.Do products also offer data export options which businesses can use if they want a backup of their data before deletion.


2. Physical security

The Sell.Do development center in Pune is under 24x7 security protection, at both premises level and floor level to ensure only authorized individuals have access to the building and the Sell.Do office. At the premises level, the building’s perimeter is secured by barriers and guards. At the floor level, security guards and smartcard readers are present to authorize individuals before entry. Employees are granted access to the office only after authorization using smart cards. Critical locations in the office are accessible only to authorized individuals.

Important documents are stored in cabinets that can only be accessed by pre-authorized individuals. The office is equipped with surveillance cameras and their footage is monitored periodically by authorized individuals. Fire alarms and water sprinklers are in place to detect and mitigate damage in the unlikely event of a fire. Regular fire drills are also conducted by the premises management team to educate employees about emergency evacuation procedures. A policy has been implemented to approve and regulate visitor access to the building. The office is provided with 24x7 power supply, supported by an alternative uninterrupted power supply system to ensure smooth functioning in the event of power failure.

Sell.Do hosts its application and data in industry-leading Rackspace, whose data centers have been thoroughly tested for security, availability and business continuity. For more details, please check this page (https://www.rackspace.com/).


3. Application security

All of Sell.Do’s products are hosted in Rackspace. The infrastructure for databases and application servers is managed and maintained by Rackspace.

At Sell.Do, we take a multifaceted approach to application security, to ensure everything from engineering to deployment, including architecture and quality assurance processes complies with our highest standards of security.


4. Application Architecture

The application is initially protected by Rackspace’s firewall which is equipped to counter regular DDoS attacks and other network related intrusions. While the application can be accessed only by users with valid credentials, it should be noted that security in cloud-based products is a shared responsibility between the company and the businesses who own those accounts on the cloud. It should be noted that all account passwords that are stored in the application are one-way hashed and salted.

Each customer is uniquely identified by a client ID. The application is engineered and verified to ensure that it always fetches data only for the logged-in client. Per this design, no customer has access to another customer’s data. Access to the application by the Sell.Do development team is also controlled, managed and audited. Access to the application and the infrastructure are logged for subsequent audits.

The in-line email attachments for the product are public by design, to enable us to embed links within the email which can be used without a session.


5. Application Engineering and Development

Our engineers are trained in industry-leading secure coding standards and guidelines to ensure our products are developed with security considerations from the ground-up. A security review is a mandatory part of application engineering (development and construction) process at Sell.Do. The security review leverages static code analysis tools, in addition to manual reviews, to ensure adherence to our highest standards.


6. Quality Assurance

Besides functional validation and verification, the quality assurance process at Sell.Do also subjects application updates to a thorough security validation. An update to the application does not get the stamp of approval from the quality assurance team if vulnerabilities (that can compromise either the application or data) are identified.


7. Deployment & Post Deployment

Deployments to production servers are performed only by trusted and authorized engineers. Only very few pre-authorized engineers have access to Sell.Do's production environment. In order to view and inspect access logs, engineers need to go through a committee of authorized employees, who will then deliver the logs to them after validating their purpose.


8. Operational Security

Sell.Do understands that formal procedures, controls and well-defined responsibilities need to be in place to ensure continued data security and integrity. The company has clear change management processes, logging and monitoring procedures, and fallback mechanisms which have been set up as part of its operational security directives.

All employees are provided with adequate training about the information security policies of the company and are required to sign that they have read and understood the company’s security-related policies. Confidential information about the company is available for access only to select authorized Sell.Do employees.

Employees are required to report any observed suspicious activities or threats. The human resources team takes appropriate disciplinary action against employees who violate organizational security policies. Security incidents (breaches and potential vulnerabilities) can be reported by customers through our portal at support.sell.do or via email: security@sell.do.

Sell.Do maintains an inventory of all information systems used by employees for development purposes in an internal service desk, aided by automated probing software that assists in tracking changes to these systems and their configurations. Only authorized and licensed software products are installed by employees. No third parties or contractors manage software or information facilities, and no development activity is outsourced. All employee information systems are authorized by the management before they are installed or put to use.

The company has a privacy policy, approved by an internal legal counsel, available publicly at http://www.sell.do/privacy_policy.


9. Network Security

Network security is discussed in detail in this section from the perspective of the development center, and the network where the application is hosted.

The Sell.Do office network where updates are developed, deployed, monitored and managed is secured by industry-grade firewalls and antivirus software, to protect internal information systems from intrusion and to provide active alerts in the event of a threat or an incident. Firewall logs are stored and reviewed periodically. Access to the production environment is via SSH and remote access is possible only via the office network. Audit logs are generated for each remote user session and reviewed. Also, the access to production systems are always through a multi-factor authentication mechanism.

All Sell.Do products are hosted in Rackspace, with security managed by Rackspace. The NOC and DevOps teams monitor the infrastructure 24x7 for stability, intrusions and spam using a dedicated alert system.


10. Regulatory Compliance

All formal processes and security standards at Sell.Do are designed to meet regulations at the industry, state, federal and international levels. Sell.Do is ISO/IEC 27001:2013 certified.


11. Reporting issues and threats

If you have found any issues or flaws impacting the data security or privacy of Sell.Do users, please write to security@sell.do with the relevant information so we can get working on it right away.

Your request will be looked into immediately. We might ask for your guidance in identifying or replicating the issue and understanding any means to resolving the threat right away.


12. Get in touch with us

If you have any questions or doubts, feel free to get in touch with us at support@sell.do, and we'll get back to you right away.