Parachute handles highly sensitive data from around the world every day. We take this responsibility very seriously
We never share your data with anyone but your emergency contacts. We never look at any of your data unless you ask us to. We don’t own your data. All data belongs to you.
Parachute is a neutral conduit for emergencies that has no affiliation with any political, economic or social cause. Parachute is open to anyone, regardless of background and beliefs. We work with some of the leading experts in the world to make sure our ability to provide a neutral service for all remains uninhibited.
When you activate Parachute, we email you (not your emergency contacts) a special link that, when opened from the phone that initiated the incident, allows you to delete the incident. To protect against forced deletion under duress, you have to wait 24 hours after the incident ended before you can delete the incident. When the incident is deleted, it is taken down immediately and the incident and its data is removed. In order to protect against accidental deletion and forced deletion under duress, an offline, inaccessible backup of the incident is kept for 30 days after it was deleted. After the 30 days have passed, the offline backup is destroyed and there is no way to recover the incident and its data. Parachute for Organizations members can set their own data removal and data management policies.
Parachute lets you delete your account and erase all your data by yourself, at any time, with no questions asked and without having to email customer support, simply by opening this link on your phone: Delete My Account
Parachute does not contain any trackers. Parachute does not send any of your information to data collection companies or other shadowy data dealers. Parachute does not use any data collection tools, tracking tools, marketing tools, advertising tools or analytics tools. Parachute does not upload your information to Google, Facebook or other advertisers. The Parachute app only communicates with the Parachute servers over a secure connection and at no point does it communicate with any other servers. Forensic investigation reveals that Parachute is the only one of 20 popular safety apps that does not send customer information to data collection companies. Read the shocking report
Parachute does not use any cookies. On the web, a short-lived session cookie is essential for keeping you logged in to the Parachute platform and preventing Cross-Site Request Forgery attacks. This cookie cannot be used for tracking and is typically wiped by your browser after 24 hours or when you exit your browser.
Parachute’s privacy practices exceed the level set by GDPR and similar legislation. Because Parachute does not install any cookies and does not use any tracking, analytics, marketing or advertising services, it is does not need to display any annoying privacy-related forced consent popup notices.
Essential Third Party Services
Parachute handles almost all functionality in-house, without relying on third party tools or services. However, there are three types of services which are impossible to handle in-house: Telecommunications, Mapping Imagery, and Content Delivery. You can control whether Parachute makes use of these services, however, this will impact essential Parachute functionality. These services are selected based on a balance between their product quality and ethical standards. Parachute pays for these services, which are provided in a B2B manner. These are not free, ad-supported or data-collection-subsidized services. However, the risk of these services misbehaving must be taken into account. Generally, organizations using the Parachute platform have a lot more flexibility, control and choice over these services. When using the Parachute app, we made some decisions for you, but you still have control over the use of these services.
In order to deliver phone calls and texts all over the world Parachute would need to establish business relationships with tens of thousands of telecommunications providers around the world, which would be impossible. While we do have direct relationships with some providers, we use Twilio as our communications provider. Because telecommunications are always unencrypted, our communications provider and all communications providers between us and the phone receiving the alert have access to the SMS alert and phone call alert originating from Parachute. Note that this is the case with any SMS or phone call and not specific to Parachute. You can avoid this by not including the phone numbers of your emergency contacts.
In order to reliably deliver email to your emergency contacts’ mailboxes, Parachute would need to establish special relationships with each email service provider, as the modern email word is very complex. Mailgun manages key aspects of our mailserver, including deliverability information, spam reporting, and email bounces. Because Mailgun has experience with sending millions of emails per day, they are able to leverage this experience to provide reliable email delivery that Parachute would not able to achieve on its own. Because email is unencrypted, our email service provider and those of your emergency contacts have access to the Parachute email alert. Note that this is the case with any email service provider, and not specific to Parachute. You can avoid this by not including any emails for emergency contacts and using Parachute for Organizations, which can be set up to not send you a confirmation email when you activate Parachute. You can also avoid this by setting up a PGP key for your Parachute alerts (advanced).
When you activate Parachute and your incident is sent to your emergency contacts, Parachute needs to show them your location on a map. Rolling out our own mapping imagery would be impossible, as Parachute would need to map every single part of the world. Unfortunately, we have to rely on mapping services for this purpose. In order to provide mapping imagery, Parachute pays Google Maps API a fee every time it displays their mapping imagery. While the underlying imagery is shared between the two products, this is not the same product as the free ad-supported Google Maps. Parachute’s Google Maps API imagery does not contain ads or install any cookies. When Google Maps API imagery is displayed in a page, Google can access that page’s URL and the GPS coordinates of any markers that are shown on their map imagery. They do not have access to any information about you. No Google service is ever involved during the use of the Parachute app. Only emergency contacts viewing your incident’s page will see Google Maps API imagery. We identified quality and privacy issues with all of the major mapping imagery services, but ultimately decided on Google Maps API imagery because 1) most emergency contacts would plug your location into Google Maps anyway and 2) its mapping imagery has far better coverage and quality than any other service we examined, which can make a huge difference at the time of the emergency. You can choose to disable the display of map imagery on the incident page seen by your emergency contacts. However, this means your emergency contacts will not be able to see an a live map at the time of the emergency, and would have to manually plug in your GPS coordinates to another mapping service of their choice. Parachute for Organizations members can choose from a menu of mapping imagery services.
When you activate Parachute, especially if you choose to share your incident on social media, it is critical that your evidence be available quickly and seamlessly to those viewing your incident, even at times of very high traffic and virality. To achieve this and protect against DDoS attacks, Parachute would need to deploy thousands of servers in every country, colocated with every ISP, which would be impossible. We make use of the AWS Cloudfront Global Content Delivery Network for accelerating the delivery and ensuring the availability of your video evidence. Parachute for Organizations members have more control over which CDN to use, which country to store incident data in, and more.
Parachute never voluntarily discloses anything to law enforcement or any other third party, regardless of the merits of such disclosure, even if the disclosure is reasonable and could be characterized as instrumental or life-saving. Parachute defends against all data disclosure requests with forceful legal response, and only complies with the request if required by law or court order, or if not doing so would cause irreparable harm to Parachute. You should never rely on law enforcement requests or subpoenas as a means to disclose your incident to law enforcement. Instead, use the implied consent system baked into Parachute itself to release your incident to organizations, individuals, or emergency services that you trust, and who can share your incident with law enforcement if they see fit.
Parachute is used by change-makers all around the world, who risk their lives in order to make the world a safer place. Parachute makes use of advanced security techniques to protect their work
We’ve designed Parachute to ask for the minimum amount of data required from you in order to function properly. Parachute is password-free, meaning that even in the event of a breach, no passwords could be obtained, dramatically lowering exposure risk. This also makes Parachute immune to “password spraying” attacks.
Parachute is designed for zero preagreement, meaning that your emergency contacts do not need to know anything about you or Parachute until the moment of the emergency. Additionally, the Parachute incident shortlink is immediately playable on every browser and device, without any further action like an app download. Achieving this introduces a number of risks, which Parachute defends against.
Deletion Under Duress
Parachute protects against deletion under duress by disallowing incident deletion until after 24 hours have passed and keeping an offline, inaccessible backup of evidence for 30 days after an incident is deleted.
Parachute wipes all data from your phone as soon as it’s been safely moved off the phone, so if an advanced attacker gets a hold of your phone, they will not be able to access any of your previously recorded data. Additionally, Parachute does not produce any logs, which an attacker could use to identify your activity. Parachute does not provide any way to view a list of your past Parachute incidents, so an attacker would not be able to obtain your incident history. There is only a single receipt that an incident occurred — the one sent to your email — which you can delete, move to offline secure storage, or send to an email that is not accessible from your phone.
Parachute contains code designed to detect whether your phone has been compromised by an advanced attacker, such as a government, who is able to issue and install rogue certificates.
Parachute uses DKIM signing, SPF, and the highest DMARC policy setting available (reject) to protect against email impersonation and email spoofing.
Man In The Middle
All Parachute evidence travels encrypted in a secure pipe with an RSA 2048-bit key. Parachute has an A+ rating on Qualys. We use a CAA record to prevent unauthorized entities from issuing rogue certificates. We use certificate pinning to ensure malicious parties cannot intercept Parachute data by issuing rogue certificates.
Parachute makes very minimal use of open-source code. When it does, every line of open-source code is manually reviewed and cleared before use. Parachute does not contain any closed-source code. Parachute only sends data to Parachute servers, and does not talk to any third party servers.
Parachute uses the HSTS header on all subdomains with preloading to protect against downgrade attacks.
Parachute is a remote-first organization, allowing our team members to be geographically fluid. Because of this, our disaster correlation risk is low.
Parachute evidence is stored with >99.999% durability and replicated on various locations to prevent correlation risk.
Team Member Safety
To reduce the risk of team member compromise, Parachute team member names and contact information are redacted from all publicly accessible documents.
Parachute data is always encrypted and always travels in a secure, pinned pipe. Because zero preagreement is a key tenet of Parachute, E2EE is not a desirable attribute, as it requires the preagreement of encryption keys in advance of the emergency. Additionally, the Parachute incident shortlink needs to be immediately playable on every browser and device, without any further action like an app download, to minimize friction at the time of the emergency. E2EE is available for all incidents sent to hotlines. Incidents sent to hotlines run by organizations on the Parachute platform have preagreement so Parachute is able to pass through the incident data directly to the organization, in which case it only acts as a relay of opaque data. When E2EE is turned on for a hotline, many features of the Parachute platform are unavailable, as they require the disclosure of the encryption key to Parachute.
Parachute’s requirements for zero preagreement, shareability, and frictionless incident access at the time of the emergency present unique challenges with regard to web scraping and shortlink brute-forcing. It is important to understand why these attributes are important by reading the foundational blog post on Parachute. Parachute is armed with advanced protections that make such attempts mathematically impossible. Additionally, shortlinks go cold after 3 months, further limiting the scope of accessible data. Organizations can set their own access controls for incidents sent to their hotlines, including choosing to make the incidents not available via shortlink.
Denial of Service
Bad actors or governments can use DDoS attacks to take down your public incident link and prevent it from being viewed by your emergency contacts, twitter followers, and anyone else you or your emergency contacts choose to share it with. Parachute uses a global Content Delivery Network to deliver your live incident video quickly and reliably, and make it hard for DDoS attacks to be effective. Parachute is armed with advanced automated protections against DDoS and bot activity, instantly blacklisting bad behavior.
Parachute offers a bug bounty program for bugs and vulnerabilities that are within the scope of our security model. You will always make more money selling a Parachute vuln to us than going to someone else. You need to register with firstname.lastname@example.org and get information on what is within the scope of our security model before conducting any research of any kind. Conducting any research of any kind without registering and acquiring the necessary permissions violates our ToS and all instances will be met with forceful legal response.
As a United States corporation, Parachute may receive a United States National Security Letter with “gag order” provisions. Parachute has not received a United States National Security Letter “gag order”.