Security Talking Points
Last updated: August 14, 2025
Payments
- Payments collected through FareHarbor are processed by Stripe, a PCI Level 1-certified and TLS 1.2 compliant provider backed by both Visa and American Express.
- FareHarbor is PCI certified as well, meaning we are compliant with the PCI Data Security Standards endorsed by Visa, MasterCard, AMEX, Discover, and JCB. You can view FareHarbor’s most recent PCI compliance certificate and AOC and SAQ certificates here.
- No sensitive cardholder data is stored in FareHarbor.
- Payments through Stripe are tokenized: the cardholders’ information is replaced with a series of randomly-generated numbers (a “token”) which can then be passed through FareHarbor without the actual details being exposed.
SSL
- See client-facing documentation here – this can be shared with anyone, even if they don’t have a FH account
Review this blog post for additional language around the importance of SSL:
TLS
Across all external-facing websites (fareharbor.com and dashboard, fareharbor sites) we require a minimum of TLSv1.2. While previous versions of TLS are not necessarily insecure, this keeps us in line with current web standards and modern security practices. Generally speaking the only thing you need to know here is “we support a minimum of TLSv1.2”, for any more complex TLS questions please ask in #security-questions.
Additional context: TLS is, essentially, the math that makes the web secure. If you see the little lock next to the domain you’re on or visit a page using https, you are almost certainly using TLS. Version 1.2 is the latest and greatest (widely accepted) version of the TLS standard, with TLS 1.3 coming soon. By no longer supporting TLS1.1 (or the long-ago-deprecated 1.0) we ensure that our users connections to us use the latest and greatest math (ciphers) to protect their information as it travels across the web.
Database Structure
- Multi-tenant, PostgreSQL
- “A multi-tenant application is a software system that serves multiple customers, each with their own isolated view of their own data in that system. Each customer and their data is often referred to as a tenant, hence multi-tenancy.” [source].
Data Security
- All non-cardholder data is stored in FareHarbor’s cloud infrastructure hosted by Amazon Web Services, an ISO 27001-certified provider. More about FareHarbor and AWS.
- Data is backed up hourly across a wide variety of servers to ensure the safety and accessibility of our customers’ data.
- Data is located in various AWS data centers. Only FareHarbor engineers that are physically in a FareHarbor office can access it.
- We run penetration and vulnerability scans, and all critical vulnerabilities and patches are remediated immediately.
- Passwords are stored using the PBKDF2 algorithm with a SHA256 hash, a password stretching mechanism recommended by the National Institute of Standards and Technology (NIST).
- Data at rest is encrypted using the industry-standard AES-256 algorithm.
Front-End Framework
- We use our own proprietary CSS framework (not Bootstrap)
FareHarbor Sites
FareHarbor uses Wordpress VIP as our all-in-one hosting and infrastructure support solution. Read about WordPress VIP security here.
Sales pitch
“FareHarbor takes reliability very seriously. We have multiple redundant application servers with automated failover, real-time replication to redundant database servers, and both real-time and snapshotted offsite backups across multiple physical locations in the United States (California, Ohio and Virginia). We’ve had 99.9% availability for scheduled uptime this year.”
GDPR
- Client-facing help page is here: //more/gdpr-and-data-privacy/
- Public legal statements are available here: https://fareharbor.com/legal
- Support Macros are viewable if you search “GDPR” or “Data”.
- Please submit any GDPR-related questions using the Legal Request form.
CCPA
- Client-facing help page is here: //more/ccpa-and-data-privacy/
- Public legal statements are available here: https://fareharbor.com/legal/privacy/
- The email address and phone number referenced in FareHarbor’s Privacy Policy and Terms of Service are active and regularly monitored.
Additional documents
For people who really want nitty-gritty details, you have permission to share the security docs here, which include the following:
FareHarbor’s PCI Compliance Certificate
Data Flow Diagrams
- FareHarbor Data Ingress and Egress Points
- FareHarbor Architecture
Responsibility Matrix
- First, clarify what business process they want to see. The document we’ve provided is a responsibility chart for PCI Compliance.
AWS Docs
- AWS ISO Global Certification
- AWS Soc 3 Report – Report on the AWS System Relevant to Security and Availability
Stripe Docs
- Stripe Attestation of Compliance
FAQ
Do we have a SOC Type I or II report?
We currently have SOC2 Type I report.
We are in the process of getting SOC2 Type II, with the plan to get it by the end of 2025.
Security questions
Some of our larger clients have security questionnaires that need to be completed before working with us. When a client requires answers to a security questionnaire, try to answer as many questions as possible before deferring our engineering team. Any inquiries related to dashboard permissions, features, integrations, etc. should not be directed to the engineering team.
For technical questions, first look at this page to see if the answers are readily available. Answer as much as you can from this document. The more questions you can respond to using existing materials, the faster the engineering team can respond to remaining concerns. To reach out to a member of the engineering team, post the questions you are not able to answer in the #security-questions Slack channel.
In your post in #security-questions, please include:
- company name
- their question(s)
- any relevant context
This should be used for client security concerns and questions only.