Security Policy

Introduction

Security and privacy are fundamental to how we operate whereonearth.net. As a service that provides IP geolocation intelligence, we understand the trust you place in us and take our responsibility seriously.

On this page we address questions potential customers commonly ask us about our approach to security. If, after reading this document, you still have questions, please contact us.

Context / General Background

whereonearth.net provides IP geolocation and related intelligence services. While IP geolocation data is generally publicly derivable information, we take the security of all our systems and our users' privacy very seriously.

We hold no payment information and always collect as little data as possible. Our service is designed with privacy-first principles.

• At sign-up or when changing passwords, we show users their password strength. We encourage all users to use secure passwords, ideally via a password manager.
• Whether you're on a free trial or a paid subscription, you can secure your account with two-factor authentication (2FA). We strongly encourage use of this feature.
• The whereonearth.net account dashboard is only accessible via HTTPS.
• Users can regenerate their API keys at any time through their account dashboard, immediately invalidating previous keys.
• You can delete your account at any time. Inactive trial accounts are automatically deleted after 90 days of inactivity.
• No user data is ever sold or shared with third parties.
• All API request logs are automatically deleted after 90 days. Users requiring immediate deletion can request this through their account settings.

Payment Data

Development Process and Security Awareness

• All third-party dependencies are regularly and automatically scanned for known vulnerabilities. Security patches are applied promptly.
• All software is managed via version control systems and undergoes automated testing in staging environments before deployment to production.
• No user data or production credentials are stored in source code.
• All servers are secured and accessible only via secure, authenticated methods (SSH with key-based authentication).
• We use password managers to ensure all passwords are unique and complex.
• All user passwords are encrypted using industry-standard hashing algorithms and cannot be recovered by employees.
• Security of all systems is regularly reviewed and extended.
• Employees and contractors are given the minimum level of access required to perform their work (principle of least privilege).
• All employees and contractors sign NDAs before gaining access to any sensitive information.
• All team members understand that security is paramount, and time is regularly allocated for learning, reviewing, and implementing security best practices.
• We have designated individuals responsible for overseeing information security.

Our API services are hosted on secure, enterprise-grade cloud infrastructure with:

• Multiple redundant locations for high availability
• Automatic scaling to handle traffic spikes
• DDoS protection and rate limiting
• Regular security audits and updates
• 24/7 monitoring and alerting

All data transmission is encrypted using TLS 1.2 or higher. We enforce HTTPS for all web traffic and API endpoints.

Backups and Data Retention

• As a UK company, we are bound by UK GDPR. Please see our Privacy Policy where this is explained in detail.
• Account data is backed up via daily encrypted snapshots and stored securely off-site.
• We regularly practice disaster recovery procedures to ensure backup integrity.
• API request logs are automatically deleted after 90 days.
• Customer data is NEVER used for AI training purposes or shared with any third parties.
• Upon account deletion, all personal data is permanently removed within 30 days.

• All API requests are authenticated using secure API keys
• Rate limiting is enforced to prevent abuse
• Suspicious activity is automatically detected and blocked
• API keys can be regenerated instantly if compromised
• We support IP whitelisting for enterprise customers
• All API endpoints use HTTPS exclusively

In the unlikely event of a security incident:

• We have documented incident response procedures
• Affected users will be notified promptly
• We will provide transparent communication about the nature and scope of the incident
• Updates will be provided via email and our status page (if applicable)
• We work with relevant authorities as necessary

Security Testing

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please contact us at security@whereonearth.net. We commit to:

• Acknowledging your report within 48 hours
• Providing regular updates on our investigation
• Crediting you (if desired) once the issue is resolved

We do not currently operate a formal bug bounty program, but we deeply appreciate security researchers' contributions to keeping our service secure.

Compliance

Data Processing

• All data processing occurs within the UK and EU
• We use sub-processors only when necessary and maintain a list of sub-processors in our Privacy Policy
• Data Processing Agreements (DPAs) are available for enterprise customers upon request
• We do not transfer personal data outside the UK/EU without appropriate safeguards

Stay Informed

We invite users to contact us at any time with questions or concerns regarding security. In addition:

• Service updates and changes are announced on our blog
• Operational status is available on our status page
• In the event of any security issues, we will provide prompt updates via email and our blog