We are fully compliant with The European Union’s General Data Protection Regulation (GDPR). You can read our privacy policy here.


All servers have security updates automatically applied. We routinely upgrade our operating systems as new versions are released.


We use Heroku (PaaS) to manage backups for customer data in our billing system. For other systems, we create our own backups and store them with a second cloud service provider. This allows us to recover our infrastructure even if there’s a total failure with our primary service provider.

Credit card data

You provide your payment card information to our payment partner (Stripe) and we do not store the card number ourselves. We do store the last four digits of the card number, to provide you this information when you are managing your payments, and the card expiry so that we can notify you when you need to update your card information.

Employee Access

All employees and contractors are required to use password managers.

We immediately revoke access to all systems for employees and contractors who we are no longer working with.

Reporting of security issues

We gratefully receive reports of security issues. However, we don’t offer a bug bounty.

If you are the first to identify a genuine problem we will provide acknowledgement. We reserve the right to decide on this issue.

Please email: security (at) thunderforest (dot) com

Please do not …

  • … interrupt the normal working of any of our products or services
  • … identify problems on third-party services that we use
  • … send us general reports – please offer specifics
  • … make this information publicly available until we’ve had a chance to fix the bug

Security Acknowledgements

  • September 2023 - Taha Diwan - Unintended access to server performance information