FrescoFrigo demands the management of credit cards and the billing process to a third party. The whole FrescoFrigo owned infrastructure and the integration with said party follows the same guidelines and best practices.
Specifically, the party managing the credit cards data has been audited by a PCI-certified auditor and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available in the payments industry.
HTTPS and HSTS for secure connections
HTTPS encrypted communication is forced for all communications (fridge, app, dashboard, third parties) using TLS (SSL).
We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support.
Encryption of sensitive data and communication
All card numbers are encrypted at rest with AES-256. Decryption keys are stored on separate machines. None of the internal servers and daemons can obtain plaintext card numbers but can request that cards are sent to a service provider on a static allowlist. The infrastructure for storing, decrypting, and transmitting card numbers runs in a separate hosting environment, and doesn’t share any credentials with the primary services (API, website, etc.).
Vulnerability disclosure and reward program
The party managing the credit cards maintains a private, invite-only bug bounty program, with the assistance of HackerOne. Invited researchers are eligible for a payment.