We understand the security of your company's pre-release apps is extremely important. This page describes some of the measures we employ to ensure your apps are safe. If you have any questions, please don't hesitate to contact us.
All access to the NimbleApp website is restricted to HTTPS encrypted connections. All apps are uploaded through HTTPS encrypted connections so that no one can eavesdrop on the network sockets. Once uploaded, apps are temporarily stored within the Amazon Simple Storage Service, part of the Amazon Web Services and subject to the same high security standards. Apps are deleted as soon as performance analysis succeeds.
User passwords are secured with BCrypt (more specifically, 10 rounds of salted and peppered BCrypt). They are never stored in the database in plaintext and are not readable by staff. Passwords do provide access to the NimbleApp website, however, and it is the responsibility of the end user to protect his password with care. NimbleApp also offers and recommends optional OAuth2 login integration with Google for users who would like additional authentication security and convenience.
NimbleApp never collects or stores passwords for external applications like Google and Slack. Integration with third-party apps is done via either OAuth or API keys.
Your input and feedback on our security as well as responsible disclosure is always appreciated. If you have a security concern, please email us at firstname.lastname@example.org.