Security

TeslaFi.com Security

At TeslaFi we take security very seriously and continue to look for opportunities to make improvements.

Below is a summary of how TeslaFi obtains and secures the data that it collects.

Hosting:

• TeslaFi uses Amazon’s AWS platform and infrastructure with two factor authentication for access.  https://aws.amazon.com/security/
• All data is stored in an encrypted RDS database that is not publicly accessible.  https://aws.amazon.com/rds/
• SSH Keys are required to access all servers and IP restrictions further limit access to only authorized developers.
• All servers are routinely scanned by Amazon Inspector to identify vulnerabilities or deviations from best practices.  https://aws.amazon.com/inspector/

Application Security:

• Application servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers.  https://www.ssllabs.com/ssltest/analyze.html?d=teslafi.com&latest
• Cloudflare Web Application Firewall:  https://www.cloudflare.com/waf/
• Cloudflare Rate Limiting https://www.cloudflare.com/rate-limiting/
• Cloudflare DDOS https://www.cloudflare.com/ddos/
• XSS – All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided.
• CSRF – All POST requests are checked for CSRF token before processing the request.
• SQL Injection – Prepared statements are used for database access to avoid SQL Injection.
• Routine scans by detectify.com to test for vulnerabilities.  https://detectify.com/what-is-detectify
• Routine scans by pentest-tools.com to test for vulnerabilities.                     https://pentest-tools.com/website-vulnerability-scanning/website-scanner

Tesla API Token:

• Tesla.com username and passwords used to create a Tesla.com token are never saved or stored on TeslaFi.
• Full support for Tesla.com accounts with two factor authentication enabled.
• A user generated token can be used as an alternative to TeslaFi.com generating the Tesla.com token.
• Tesla API tokens are not displayed on TeslaFi.com by default.
• Controls and scheduling on TeslaFi.com are not enabled by default and cannot be enabled without generating or providing a new Tesla.com API token.
• Tesla API Tokens can be revoked at any time by changing your Tesla.com password.

TeslaFi.com Account:

• TOTP two factor authentication is available for all accounts and can be configured in settings->account->security.
• An email notification can be configured in settings->account->security to alert of all new logins.

Credit Card Processing & Billing:

• All credit card processing and transactions are conducted within Chargebee.com.  Chargebee is a PCI-DSS Level 1 Service Provider.
• No payment information is stored or available to TeslaFi.com.
• Chargebee.com access is protected by two factor authentication.

We are working continuously to make our system secure. If you find any security issues, please submit it to [email protected].