Verified purchaser
Good idea but a security nightmare
I will pass on the various bugs and laggy features, as it's a new app.
The idea is great, but the security implementation is terrible. We login through some sort of virtual machine to make sure vuala can have access to the invoices. This means the passwords have to be be stored unencrypted for them to use as they see fit. It's a huge security flaw.
At no point during the onboarding was I made aware of this, or even to create separate accounts in "read" format" to give them access. Not even adding the fact that on most of my tools, read format is non-existent (Frase, chatGPT), leaving my passwords right in the open.
Lovely idea, but refund for me.
vicsfb
May 9, 2024Hi Clement, We are sorry to hear that you were disappointed with the security of our product. Just want to clarify a few things to allay your concerns:
- We don't store credentials unencrypted, ever! All of our data is stored with SOC2 certified providers, and fully encrypted both in transit, and at rest.
- For some platforms in the past, we used to directly ask our users for credentials. With most of the platforms we support today, we ask the user to sign-in directly to an isolated browser instance, so that they don't have to share credentials with us ever again. All browser information is stored in encrypted storage as well. In fact, we ask our users to re-login when their logged-in sessions expire.
- Our browsers instances are protected. Operational access is audited and only available to select members of the staff. In short, the data of your sessions stays protected in the browser itself.
- We've taken note of your concerns about the lack of security messaging during onboarding and whenever you connect a new source. Improvements are on the way! Thanks for bringing it up!