At TeslaFi we take security very seriously and continue to look for opportunities to make improvements.
Below if a summary of how TeslaFi obtains and secures the data that it collects.
- TeslaFi uses Amazon’s AWS platform and infrastructure with two factor authentication for access. https://aws.amazon.com/security/
- All data is stored in an encrypted RDS database that is not publicly accessible. https://aws.amazon.com/rds/
- SSH Keys are required to access all servers and IP restrictions further limit access to only authorized developers.
- All servers are routinely scanned by Amazon Inspector to identify vulnerabilities or deviations from best practices. https://aws.amazon.com/inspector/
- Application servers can be accessed only via HTTPS. We use industry standard encryption for data traversing to and from the application servers. https://www.ssllabs.com/ssltest/analyze.html?d=teslafi.com&latest
- Cloudflare Web Application Firewall: https://www.cloudflare.com/waf/
- Cloudflare Rate Limiting https://www.cloudflare.com/rate-limiting/
- Cloudflare DDOS https://www.cloudflare.com/ddos/
- XSS – All user inputs are properly encoded when displayed to ensure XSS vulnerabilities are avoided.
- CSRF – All POST requests are checked for CSRF token before processing the request.
- SQL Injection – Prepared statements are used for database access to avoid SQL Injection.
- Routine scans by detectify.com to test for vulnerabilities. https://detectify.com/what-is-detectify
Tesla API Token:
- Tesla.com username and passwords used to create a Tesla.com token are never saved or stored on TeslaFi.
- A user generated token can be used as an alternative to TeslaFi.com generating the Tesla.com token.
- Tesla API tokens are not displayed on TeslaFi.com by default.
- TeslaFi.com controls and scheduling are not enabled by default and cannot be enabled without generating or providing a new Tesla.com API token.
- Remote start of Tesla vehicles require both the Tesla API token and the Tesla.com credentials. TeslaFi.com is unable to remotely start a vehicle as Tesla.com credentials are not stored.
- Tesla API Tokens can be revoked at any time by changing your Tesla.com password.
- TOTP two factor authentication is available for all accounts and can be configured in settings->account->security.
- An email notification can be configured in settings->account->security to alert of all new logins.
Credit Card Processing & Billing:
- All credit card processing and transactions are conducted within Chargebee.com. Chargebee is a PCI-DSS Level 1 Service Provider.
- No payment information is stored or available to TeslaFi.com.
- Chargebee.com access is protected by two factor authentication.
We are working continuously to make our system secure. If you find any security issues, please submit it to [email protected].