Security and Privacy
One of our main pillars is the Security and Privacy of our customers information. This section highlights some of the specific security measures that we have taken to achieve this objective.
Document encryption and storage
Protecting the confidentiality, integrity, and availability of our customers' data is an important priority for us. To this end, we employ client-side encryption as a critical measure to protect sensitive data from unauthorized access and breaches.
Client-side encryption is a method of encrypting data before it is transmitted over a network or stored in the cloud. In this approach, the encryption and decryption of the data are performed on the client-side, rather than on the server-side, ensuring that only authorized users with the decryption key can access the data.
By utilizing client-side encryption, we ensure that all documents uploaded by our customers are encrypted before leaving their device. This reduces the risk of data breaches and unauthorized access to sensitive information. Furthermore, since the encryption keys are generated and stored on the client-side, the organization has no access to the contents of the encrypted documents, providing an extra layer of data privacy and security.
In addition to encryption, we have also chosen to store our documents on Swiss servers that are certified by ISO 27001. This certification is a widely recognized standard for information security management, and it provides us with independent verification that our servers meet strict security requirements. These requirements include physical security measures, access controls, network security, and other measures that help to safeguard our data against threats.
Although Azure is our cloud provider, customers are free to deploy their own document store instance.
Swiss data residency
We are committed to protecting the confidentiality and privacy of our customers' data. As part of this commitment, we have implemented a strict policy for the storage of documents that requires all documents to be stored exclusively on servers based in Switzerland. The Swiss data residency is critical to our policy, as it offers robust data protection and privacy measures.
Storing our documents on servers based in Switzerland provides several key benefits. First, Switzerland is known for its strong data protection laws and regulations, which provide rigorous privacy and security protections for our customers' data. Second, by storing our data within the Swiss data residency, we can ensure that it is subject to the strict controls and oversight of the Swiss authorities, further enhancing the security and privacy of our customers' data.
Our policy of storing documents only on servers based in Switzerland ensures that our customers' data remains in a location that offers the highest level of protection. We take our responsibility to safeguard our customers' data seriously and are committed to complying with all applicable laws and regulations governing data protection and privacy.
High availability servers
We employ high availability servers within our cloud computing platform and maintain a comprehensive disaster recovery plan. Our use of high availability servers ensures that our systems remain operational and accessible to users, even in the event of hardware or software failures, while our disaster recovery plan outlines the steps we will take in the event of a major disruption or outage.
Although Azure is our cloud provider, customers are free to deploy their own document store instance.
Two-factor authentication
We take the security of our users' accounts very seriously. To help protect our users' accounts from unauthorized access, we offer two-factor authentication (2FA) as an added layer of security. Our 2FA system is compatible with all common time-based one-time password (TOTP) apps, including Microsoft Authenticator, Google Authenticator, and Duo.
When a user enables 2FA on their account, they are required to enter a unique code in addition to their username and password when logging in. This code is generated by a TOTP app, such as Microsoft Authenticator or Google Authenticator, and is valid for a limited time. By requiring a unique code in addition to the user's password, we can ensure that only authorized users are able to access their accounts.
Security assessments
We place a high priority on the security of our application and infrastructure. To ensure that our security measures are effective, we conduct regular internal and external security audits and penetration tests. These audits and penetration tests are conducted at least once a year and are designed to identify any vulnerabilities or weaknesses in our system that could be exploited by malicious actors.
Internal security audits are conducted by our own security team, who use a variety of tools and techniques to identify potential security issues. These audits are designed to test our security measures from an insider's perspective, simulating the actions that a malicious actor might take if they gained access to our system.
External security audits and penetration tests are conducted by independent security experts who are not affiliated with our organization. These experts use a variety of tools and techniques to simulate real-world attacks and identify potential vulnerabilities in our system. By conducting external audits and penetration tests, we can ensure that our security measures are effective against a range of threats and not just those that we have anticipated.
Non-repudiation and auditing
We recognize the importance of keeping track of changes made to documents throughout their lifecycle. To achieve this, we have implemented a fully immutable audit trail that records all changes made to each document from creation to deletion.
The audit trail captures a comprehensive set of metadata for each document, including the date and time of each change, the identity of the user who made the change, and the nature of the change. This metadata is stored in a secure, tamper-evident log that cannot be modified or deleted.
By maintaining a fully immutable audit trail, we can ensure that the entire history of each document is preserved and can be accessed if needed. This helps to maintain the integrity of our documents, providing assurance that they have not been tampered with or modified in any unauthorized way.
Our immutable audit trail is an essential component of our document management system, providing transparency and accountability throughout the document lifecycle. It also helps us to comply with regulatory requirements and industry best practices, which often require organizations to maintain comprehensive audit trails of all document-related activities.