Security of Client Records with Optimism Online

Overview
Optimism Apps Pty Ltd takes the security of clients' records very seriously. We would not offer Optimism applications publicly if we were not satisfied that clients' records were secure.

This document has been written to be as transparent as possible. It is important that you have a good understanding of our security arrangements, and make an informed decision before using our applications.
Optimism Online Database
The Optimism web and iPhone applications store clients' records in a database on the Optimism Online server (optimismonline.com). The sync service in the Optimism desktop software also transfers records to the same database.

The only personally identifiable information held in the database are email addresses, first names and (optionally) surnames.

Email addresses are encrypted and passwords are hashed.

We use a PostgreSQL database for storing clients' records. PostgreSQL is a mature object-relational database that has been in open source development since 1996. The PostgreSQL Global Development Group (PGDG) takes security seriously, so that users can have confidence in the security of the database and applications built around it. Their approach allows excellent configuration options, ensuring a secure, robust database, and seamless integration with our applications.

We maintain a "trust list", which is comprised of 3 individuals who are responsible for maintaining the Optimism Online database. Access to the database is on the basis of IP address (according to the trust list), username and password. In effect this means that for someone to access the database they need to be sitting at one of three computers worldwide, and know the username and password.

The database (and application) are hosted on a "virtual private server". In effect this means that we are leasing a segregated section of a server. We don't share it with any other domains, including others that we own.
Your Email Address
When registering to use the Optimism Online database the email address does not need to be a primary email address; it can be a secondary email address (perhaps used for privacy purposes or spam). We don't validate the address when you sign up, except to ensure that it is in the correct form of an email address. (You don't need to click on an email link to complete registration).

The email address serves three purposes:
  1. It can be used to log in instead of the username.
  2. It is used for resetting a forgotten password. This is the most important reason for using your regular email address.
  3. If you take a trial of the web app then we send a follow-up email during or after the trial period to ask for feedback and to see if we can help with any questions. We also send a newsletter when we have a major announcement. There is also an opportunity when registering to sign-up to receive our occassional newsletter.
Please consult our Privacy Statement for further information regarding our Privacy Policy.
E-commerce Records
Our online store is located on the website findingoptimism.com, which is hosted on a different server from the Optimism Online database. Our e-commerce intermediary, PayPal, passes basic, non-financial information to us following purchases of licenses for the Optimism web app and Optimism desktop software. This information is stored for a short time on that server, before being permanently removed. It is never stored on the same server as Optimism Online.
Final Note
In the area of database security it is never possible to give a 100% iron-clad guarantee. Security on the internet is very dynamic in nature. However we believe that the standard we set for Optimism Online is very high, and will give clients confidence that their records will not be read without their permission.
Notification of Changes
This document will be updated as changes are made to strengthen security arrangements. This is the second version, released on 26 August 2010. Please check back periodically.
Additional Questions
If you have any comments or questions regarding our security arrangements, please contact us using the contact form.