Meldium runs as a web application using third-party cloud platforms. Meldium currently runs on Heroku and Amazon Web Services, and our servers are located in the United States. We may use other cloud providers that meet our security and availability needs in the future if appropriate.
All of the data exchanged in Meldium is sent over secure (TLS) connections. Our public web application runs only on HTTPS, and our internal network links (between service tiers, databases, and caches) are each encrypted at the transport layer as appropriate.
Meldium adds a second layer of encryption (using ECDHE) in-browser to ensure that neither credentials nor sessions can be compromised even if the TLS connection is broken or decrypted. This means that even if someone were to breach our cloud partners' queuing or caching systems, they would see encrypted data that only the requester's browser can decrypt.
Meldium connects to other web applications to manage those apps and initiate automatic logins. Those connections are also always performed over HTTPS, and the remote server certificates are always verified.
In order to provide app management and automatic login, Meldium must store some of your sensitive information on our servers. For user management, we may store your API keys, your username and password, or an OAuth credential. We will always use an OAuth credential or API key if possible, and we only store passwords if absolutely necessary for a service integration. To provide automatic login, we store usernames and passwords.
All of your sensitive data is stored in an encrypted format. We use open-source cryptographic libraries and standard algorithms (AES-256 for symmetric operations and RSA 2048 bit for asymmetric operations). We never write our own cryptographic code or modify existing libraries.
The data we store is also regularly backed up via our cloud providers. The backups are kept in the same format as the original data and thus requires access to our master keys to decrypt.
The keys to decrypt your data are only stored on secure subset of Meldium's computers. These keys are stored as runtime configuration, and never checked in to source code. The computers that are able to decrypt your API keys, OAuth tokens, and passwords run in an isolated application that is not accessible to the public internet. This means that if Meldium's public-facing servers are attacked, the master encryption keys will not be compromised.
Your secrets are only decrypted when they are needed to perform some operation on your behalf (adding an account, disabling a user, logging in to a service, etc.) and the decrypted data is never written to disk or logged. In order to provide the best user experience, our systems periodically use your authentication information to refresh application data.
Any usernames and passwords that you store in Meldium can be pulled back out of the system. Use the credential exporter tool to download your data as a comma-seperated values (CSV) file, a common text format that is supported by dozens of tools.
Yes. You can manually remove individual apps and credentials from Meldium using our web app. And at any time, you can contact email@example.com to request that your account be deleted. Once we've confirmed your identity, we will immediately remove all of your data from our system. Encrypted backups of your data may be retained for up to 90 days - these backups are used only for disaster recovery purposes.
Due to the architecture of our system, it is technically possible for a Meldium employee to gain access to your secret data. As a matter of corporate policy, this kind of access is forbidden. Therefore, we have strong internal controls in place to prevent this unlikely event. We never manually decrypt your data, even when debugging issues with our systems or with third parties. We've built a suite of internal tools that allow an operator to perform actions using your secret data without actually logging in to our secure fleet.
A limited set of Meldium employees have access to the secure fleet and the master encryption keys - this access is only granted to employees for whom it is absolutely necessary. Third-parties or contractors will never gain access to Meldium's secure hosts or master keys, or your secret data. All internal access to all of Meldium's systems (secure or otherwise) is logged and audited.
Like other web applications, Meldium creates and collects application logs that track what our servers are doing on each request. These logs are used to find and fix bugs in Meldium and to help us monitor the performance and uptime of the application. We have comprehensive filtering in place to ensure that no sensitive data is logged, and logs are currently retained for two weeks before they are automatically deleted.
In addition to these application logs, Meldium also creates structured logs that keep track of which users launch which applications. We also track new user creation and user disable / delete operations. We collect this data in order to provide our customers with an audit trail, and to enable features like "recently used apps". We use this log data in aggregate form to better understand our customers and make decisions about the future development of Meldium.
Meldium uses modern web frameworks and follows those frameworks' best practices for securing access. We monitor for bugs and security patches in all the systems we use and apply updates religiously. In addition, we've engaged external security firms to perform penetration tests and source code audits on Meldium's systems, and we will continue with those tests and audits regularly in the future.
We want to hear from you! We're grateful for security researchers who practice responsible disclosure. Please contact us at firstname.lastname@example.org with the details of the problem you've found. We treat these reports as our highest priority and we'll get back to you immediately. And we promise not to seek legal action against those who fully disclose security issues to Meldium and do not maliciously exploit those vulnerabilities.
Any security-related emails sent by Meldium employees will be signed with the following public key. You may also use this key to encrypt any messages sent to email@example.com.
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v1.4.12 (Darwin) mQENBFEm15MBCADBH5dQQIcR2EyF58QsTrWC5dLrJsJDqJtXmGIf5oJhBQ2/irRM 6ML31EdnNS+sankp0kzUFDCgx1iKlyHFWrUqaIKHZ+l09jURIZZp189Q9aHufnW6 9D5EYyZN30jJgQgUtbVELFIcLLJe+9EkRJT869QLpsWu5IgDc3AMe9P1m5bSSU7p fmqs5RAhOySfAt338o1B5ilSuBhUv/jvaxO4JjQj4GLKRVRj0tGlxGQfvzfnexUN t5E4NKBMxuNDtUjLuNbHBrMWSKxsoNg3FHWGzQL3LkjCunuLJYiW3Ct6kOJohjGD w0dO5VdJWhwJYrPydgtfe28eFDzlrU92noQ9ABEBAAG0J01lbGRpdW0gU2VjdXJp dHkgPHNlY3VyaXR5QG1lbGRpdW0uY29tPokBOAQTAQIAIgUCUSbXkwIbAwYLCQgH AwIGFQgCCQoLBBYCAwECHgECF4AACgkQfeniCFBiBff/kggAkt+zlQ4X09GbS1th VMoPLBBdfuGGoY1gIMa98hPbbbq5zrveIYiiVfRw3bJISEeQ0uWIhbw+rZVHvwhR k4wFyYZyu7aZelKTHAFBCx2HyBAhrpx0c7JShHin1XR/2gWetUOyLrdwP+gLg2+W bxnsn6ndzvTJhLAsDwwP9NJowECoToKaQZ1kklYlTgRpXyM7Z0EruiMBwySDbB90 JzNBGFAcHinYuyvhT28bewurFkp4TANm8BglDaqWnHBaBCju5KEZ3H3XwHmEEQsy Gmi8yVYJq9+kn8rcLGUwg2NvQlo8NzWEIZ7bHaGb/n/QP/ufoLU92E6GeEOJmcGM gcnHnrkBDQRRJteTAQgAwxjd/A37s0MxD4x6Zg++jsTDhLRwJIn0E39i9jApzViq oBXd64ezjxDSzyEqEUtSyH/vDjOINlBfVDZ0NvT5yzpDnuSEnNEjhzRyVCjjo8ra LUeiRCqFOZ74PHxtR2pzfLwsdJDyV8GXConSgQHzioXkyu5ShNnczkrm0dyklYQF dB3cgZEF6oKqz3YlDI6zn2t0jyXfumXpPGD0LPK6PUbLwVzCJp5PoJaTABVH1H06 rVjPD1S2rgGtncolDFvXEPB9m5yaNjvxNQgG18Pu5vosGU0Co9p8D1I3H9a7MI4C PZ7SmdRGJsenPVWItGphpwOZevTJOkxEsUCdgrqfoQARAQABiQEfBBgBAgAJBQJR JteTAhsMAAoJEH3p4ghQYgX378YIAIpCUF9OAD+GB6ySkWadUYtXm/P8zfqzxRl6 XWZrgAmV/7Kab8Xzbcdba9mSIQYdNjgNZGJWGoTq5LjtFh58kO9Cm6xJg4JPfG9e Nl1jINRmBa8D7nF7KwclBRp+hNnlWIIFcSnNkeFl5co81eYhEVGssXSMd18jQtjK iNxAJkI7+ab/itEQ4a8utItHwIejxTay9K7D3N+J8jWi+okbcT1SnrcpfUows+Xj /hgTU/UkQQOiuRvZjvD5Kn6JUwKA6r2YaEuNYfWiwgUjJd+zw0Luv+C/4II0Nosj 8C1eJnT5Ve7pq13w9OIUfjZ9jkiZRu1D6tYItAZ4Ci7n3zl6O8c= =1yOy -----END PGP PUBLIC KEY BLOCK-----
The following people have reported security vulnerabilities to Meldium. Thanks for you help!