Security at Roger

Security is one of the biggest considerations in everything we do. If you have any questions after reading this, or encounter any issues, please let us know.

HTTPS and HSTS for secure connections

Roger forces HTTPS for all services using TLS (SSL), including our public website and the Dashboard. We regularly audit the details of our implementation: the certificates we serve, the certificate authorities we use, and the ciphers we support. We use HSTS to ensure browsers interact with Roger only over HTTPS.

Encryption of sensitive data and communication

All passwords and other sensitive data are encrypted by AES-256. Decryption keys are stored on separate machines. None of Roger's internal servers and daemons are able to obtain plaintext passwords. Passwords are stored with military grade encryption, using cutting edge tools in data protection such as PBKDF2 using HMACSHA512 with 512 bits of storage for both salt and secret.

VPC and locked down networking

At Roger all internal interprocess communications happen inside secured VPC environments that can't be reached by any 3rd party outside to prevent any man in the middle attacks. All assets are encrypted at rest via SSE-S3

2FA support

Users can opt in for a TOTP two factor authentication system, internationally recognized by google and IETF.  We satisfy all requirements for RFC6238, and integrate flawlessly with the Google Authenticator app.

99.9% uptime

Roger has an uptime available 99.9% which is measured monthly, excluding holidays and weekends and scheduled maintenance.