Security, Privacy, and Compliance

Drafted members entrust us with their information every day and we take their security seriously. Our core value of putting our members first powers all of the decisions we make, including how we manage and protect the data of our members and customers. We never stop working to ensure Drafted is secure.


Top Security and Privacy Features

Any questions? Drop us a line at support@drafted.us


Authentication & Passwords

Drafted supports SSO using OAuth2 for Google Sign In. For other users, Drafted uses Argon2id password hashing and best practices in implementation. Don't worry, we didn't forget the salt.


GDPR Ready

We follow GDPR principles, including explicit consent, purpose limitation, security, the right to be forgotten, and more. You can read our new Privacy Policy to learn more about how we use and safeguard your privacy and data.


Access Control & Encryption

Our employees know how to handle your data - we enforce multi-factor authentication for all internal systems and third party services where it is supported, and an internal data access policy is required learning for new employees. No data on Drafted is ever transmitted on an un-secure connection, even between internal microservices.


Cloud Data Protection Standards

Drafted services run on Amazon Web Services (AWS) and DigitalOcean which are physically secure, employ modern software security techniques, and require multi-factor authentication for access. The AWS and DigitalOcean clouds meet several global security standards such as ISO 27001 and SOC.


Disaster Recovery

Data backups are handled by Heroku's Data Safety and Continuous Protection backups. Continuous nightly backups that are physically and logically separated allow for secure and reliable rollbacks and retrieval in an emergency.


Continuous Vulnerability Management

We use a third party service to ensure that all of our dependencies are up-to-date and patched if a patch is available. When new known vulnerabilities are found, we are immediately notified with a recommended action to take. Critical vulnerabilities are typically patched same day and non-critical within 2 weeks.


Payments and Financial Transactions

All subscriber payment information is handled by PCI-DSS compliant third party services - we use Recurly, Stripe, and Bill.com. Credit card or payments data is never stored on Drafted servers, and only the authorized admins have access to subscriber account data required for sales and support purposes.


Data Retention and Deletion

Private data deleted within 30 days upon request. Publicly available data will not be deleted. Some exceptions. You can read our Privacy Policy (explore.drafted.us/privacy) for more details, or put in a Data Access Request here (explore.drafted.us/dsar)