← Back to all articles

Security

Our approach to keeping your data safe

Your artwork data represents your life’s work, and we take the responsibility of caring for it seriously.

This article outlines our approach to security and privacy: it’s a little long, but it’s intended to answer many of the questions you might ask.

Privacy

Security and privacy are often talked about together, but are distinct things. Security is about keeping your data safe from unauthorized access (from us, from hackers, etc.). Privacy, on the other hand is about respecting your rights and consent with the data you’ve entrusted to us.

Some ways we preserve your privacy:

  • We collect as little personally identifiable information (PII) as possible. To use Valise, you only need to provide an email address. You can optionally provide your name, but it’s not required.
  • We don’t sell your data. Your data is only shared with our vendors who help us operate Valise as a service (think: our hosting providers, who run the servers that store your data).
  • We don’t train AI models on your data. We don’t even have any AI features right now! Even if we do in the future, we’ll only use open-source, locally-run models that don’t require your data to be sent to a third party.

You can read more in our Privacy Policy.

Corporate security

A big part of keeping your data safe is keeping our own systems safe. We’re a small company, but we implement a number of best practices to protect your data:

  • We use password managers to generate and store unique, strong passwords for all infrastructure accounts.
  • We use multi-factor authentication for all accounts that support it.
  • We limit access to user data to only people who need it to do their jobs.
  • Of those who can access user data, we’ll only access your data when you ask us to or to troubleshoot problems.

Product security

We make security a priority in the vendors we choose and tools we use to build Valise:

  • We use a memory-safe programming language called Go for our server, which helps prevent many common security vulnerabilities.
  • We minimize our use of third-party code libraries (“dependencies”) and review the ones we do use to prevent supply-chain attacks.
  • We use a database, SQLite, that can’t be exposed over the internet, which reduces the risk of a data breach by networking misconfigurations. (What happened to Equifax literally cannot happen to Valise.)
  • We use simple, proven methods for authentication and authorization, like OAuth2 and secure cookie-based sessions. Newer techniques like JWTs can reduce load on servers, but also risk leaking data if not implemented correctly, so we keep it simple.
  • We use avoid leaking personal information in diagnostic tools like logs by using anonymized identifiers instead of real names.

Access controls

And finally, we’ve also built Valise to give you tools to control who can access your data and to revoke that access at any time.

  • We restrict sensitive actions, like exporting data and changing access controls, to owners of an account.
  • We give you access controls to manage who can see and edit your data. Those access controls allow you to revoke access at any time.
  • We also give you the option to share your data with others, like through collection previews, but you can revoke that access instantly or through expiration dates you can set.

Frequently Asked Questions

Have more questions?

We’re here to help. If you didn’t find what you were looking for, or have more questions feel free to reach out.