Security at Latenode.com

At Latenode.com, we are deeply committed to the privacy and security of your information. This document provides an overview of our key practices and policies related to data handling and security. While this is not a comprehensive list, it highlights our main procedures and commitments.

Security reports

Should you discover a potential security vulnerability in Latenode.com, we encourage you to inform us promptly. Please reach out to [email protected] with your findings.

Abuse Reports

If you believe that resources from Latenode.com are being used for unlawful activities or in violation of our Terms of Service, please to [email protected]. We take such reports seriously and investigate them promptly to maintain the integrity and security of our platform.

Hosting

Latenode.com is hosted on the Amazon Web Services (AWS) platform in the us-east-1 region. Our platform's infrastructure, including the physical hardware and data storage, is located in data centers managed and secured by AWS. For detailed information on AWS's security practices and compliance certifications, please visit this link.

In addition to AWS's robust security measures, Latenode.com implements additional safeguards for accessing AWS resources. These include, but are not limited to, the use of multi-factor authentication for AWS access, operating services within a private network that is not accessible via the public internet, among other security controls.

Intrusions

To ensure the security of our infrastructure, Latenode.com utilizes Cloudflare WAF, along with custom alerts to monitor and defend against potential cyber threats, including DDoS attacks.

Our team is equipped to respond swiftly to any security incidents, guided by our comprehensive incident response policy.

OAuth keys, API Keys

When you integrate a third-party application with Latenode.com, you might be prompted to authorize a Latenode.com OAuth application for access to your account, or to provide an API key or other credentials. This section outlines how we handle such grants and keys.

For applications supporting OAuth integration, Latenode.com prefers this method. OAuth allows Latenode.com to request access to specific resources in your third-party account without needing your long-term credentials. We use short-term access tokens that must be refreshed regularly, and most applications offer a way to revoke Latenode.com's access at any time.

In cases where a third-party application doesn't offer OAuth, you may need to provide an API key or another form of authorization. We advise limiting the API key's access to only the necessary resources within Latenode.com, if your application allows such restrictions.

Latenode.com securely encrypts all OAuth grants, key-based credentials, and environment variables at rest in our production database. This database is housed in a private network, and its backups are also encrypted. The encryption key, managed by AWS KMS, uses 256-bit AES in GCM mode. Only select team members have access to administer these keys, which are rotated annually.

You have the option to delete your OAuth grants or key-based credentials at any time via https://app.latenode.com/connections. However, removing OAuth grants within Latenode.com does not revoke our access to your third-party account. To do this, you must revoke access through the third-party application's own OAuth management system.

Encryption of Data in Transit and TLS (SSL) Certificates

When accessing Latenode.com's web application, all traffic between your device and Latenode.com services is encrypted in transit. This ensures that your data remains secure as it moves across the internet.

Regarding the management of certificates, Latenode.com leverages the Cloudflare SSL manager for all our certificates, including those used for custom domains. This approach removes the need for our team to handle the private keys of certificates directly, as Cloudflare securely manages them. Additionally, the renewal of these certificates is automated and managed by Cloudflare, ensuring continuous protection without manual intervention.

Data at Rest Encryption

At Latenode.com, we ensure the security of our customer's data at rest within our databases and data stores. To manage and secure our encryption keys, we utilize AWS KMS, with all keys being under the control of Latenode.com.

Access to administer these keys is strictly limited to a select group of our team members, ensuring high-level security management.

Development process

At Latenode.com, we use GitLab for storing and versioning all our production code. This ensures that we have a robust system for tracking changes and maintaining code integrity. To protect our GitLab organization, employee access is secured with multi-factor authentication and a Virtual Private Network.

We have stringent policies in place regarding who can deploy code to production. Only authorized Latenode.com employees are permitted to do so. All deployments undergo thorough testing and are closely monitored both before and after release, ensuring the highest standards of quality and security.

Vulnerabilities

Latenode.com actively monitors our code, infrastructure, and core applications for any known vulnerabilities. Our team is committed to addressing and resolving critical vulnerabilities promptly and efficiently. This proactive approach to vulnerability management is a key part of our commitment to maintaining a secure and reliable platform for our users.

Payment Processing

Latenode.com has partnered with Stripe as our primary payment processor. When you subscribe to any of our paid plans, your payment method details are transmitted to and securely stored by Stripe, by their stringent security policies. It's important to note that Latenode.com does not retain any information about your payment method. This ensures maximum security for your financial data, leveraging Stripe's robust and industry-standard security measures.

Youtube

Engaging with any YouTube services accessible through Latenode scenarios entails interaction with YouTube’s API Services, please refer to https://developers.google.com/youtube/terms/developer-policies#definition-youtube-api-services

For comprehensive information on Google’s Privacy Policy, please refer to http://www.google.com/policies/privacy.

Upon granting authorization for Latenode to access your YouTube account, Latenode will retain basic account information, such as the associated email address. When Latenode initiates API requests to YouTube, data such as logs or API responses may be retained (please consult Section 1 in the Table of Contents for details). You retain the right to manage this data within your Latenode account by deleting relevant authorizations or scenarios, thereby removing all corresponding retrieved data. Furthermore, you have the option to revoke Latenode's access to your account via https://security.google.com/settings/security/permissions.

Google Limited Use Requirements

Latenode's utilization and transmission of data acquired from Google APIs to any other application will strictly comply with the Google API Services User Data Policy, which includes adherence to the Limited Use stipulations, please refer to https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes

It is important to note that Google Workspace APIs are not employed for the development, enhancement, or training of generalized or non-personalized artificial intelligence and/or machine learning models.