The following provides more detailed information for admins and group organizers on what data Count.It collects from users, and how we secure our system — as well as what data we gather via our Slack app. (For more detail, please check our Privacy & Terms page.)
The Count.It platform deploys state-of-the-art tools and processes to minimize the risk of security or data breaches. The platform works closely with hosting and infrastructure partners at Amazon AWS, MongoDB Atlas, and Stripe to ensure that all data is encrypted and protected across all transits, and human policy protocols are documented and followed by all staff.
We are a CyberGRX Exchange member, and pleased to receive top ratings from both BitSight and SecurityScorecard, two industry leaders in "outside-in" security testing and monitoring.
SecurityScorecard Report as of March 22, 2021
BitSight Report as of March 23, 2021
CyberGRX Cyber Risk Assessment
Available on demand.
Basic User Profile Data: Users create an account on Count.It to access the platform. Passwords are stored encrypted and are never visible to anyone, including Count.It admins. A user's Count.It profile includes name, email, and password (encrypted). Once a user joins, we infer their timezone from either a connected fitness tracker, their smartphone OS, or via their web browser in the case of web access.bUsers can remove their account at any time by their Settings --> Profile page.
Activity Data: When a user connects a fitness tracking app, they grant permission to that app (Fitbit, Apple, etc.) to share specific activity data with Count.It. Count.It collects only activity data that can be used in the system, not all data available on the user's app. We currently receive and process activity data related to steps, swimming, cycling, yoga, meditation, and strength training.
Admin Access: If given express permission by a user, a group admin can access the user's activity Count.It "logs" to help with data input or verification.
User Privacy Setting: A user can opt to be "public" or "private," the former simply means that they will appear on public leaderboards.
Group Privacy Setting: Groups can opt to be "public" or "private," which means the same as above -- the group will be findable on the site, and will appear on their regional leaderboard.
Account Removal: Admins can delete users at any time, and also request that their group be removed entirely from the system.
Slack App: The Count.It Slack app is "pushes" messaging to a designated #channel, and receives data only as a result of direct user actions. The app is not "listening" to all Slack channel traffic, i.e. we do not "ingest" Slack channel chatter in the way that some Bots/apps do. When a user registers on Count.It via the Slack app, Slack sends us the user's name and email address, and a secure ID "token." We do not get the user's Slack password. Users can set "workbreak goals" via the Count.It Slack app, and they can log workbreak activity. When they do, this data is sent over from Slack to Count.It within via our app. We do not receive any other user-related info from Slack.
Our platform is hosted in Amazon's secure Elastic Beanstalk environment at AWS.
Our data store is hosted by MongoDB in their secure Atlas service architecture.
Our billing system is Stripe Billing, which hosts all client credit card and billing information. No billing information is stored or transmitted in the clear.
All data is encrypted during transmission via HTTPS.
All related service accounts including our Github repo are accessed using two factor authentication, and access is limited to active developers, and purged regularly.