Security

While encryption is an essential practice to apply to your data storage, it is wrong to assume this is sufficient to keep your data secure. Encryption is the last barrier limiting the damage of a potential leak, but ideally, there is no data leak in the first place. First and foremost you want to prevent data leaks, limit the scope of data leaks, and when all else fails limit the content of data leaks.

So that is what we set out to do.

All connections are served and enforced via HTTPS over TLS 1.3. Access to our RESTful interface is restricted via strong password (preferably 32-64 characters) requirements and optionally using IP whitelisting or using additional API keys. Passwords are securely stored using Argon2i. 

We invest substantial effort in keeping our servers secure. All traffic is blocked by default, then re-opened based on need. Server access is limited to dedicated passthrough servers using secure RSA keypairs. Our servers and images are scanned daily for vulnerabilities, and patched accordingly.

When it comes to encryption, we take it very seriously. We apply multi-level encryption using established and secure protocols and ciphers only. This goes as far as having a unique encryption key pairs per file ensuring no unauthorized entity can ever access another person's data. These encrypted files are in turn stored in an external (non-Amazon, Dutch hosted) S3 bucket as a backup.

Our servers are protected by security scans and threat detection tools. Several of our customers run yearly penetration tests on the environments to verify the integrity of our solution. There hasn't been any successfull attempts at gaining unauthorized access to either the web environments or the servers. We do however greatly value these tests, as they might point out some other issues like slightly outdated packages or suboptimal approaches that could be updated. 

We do not allow ourselves or any third party to analyse, sell or share your data. Unless specifically requested by our customers we do not even use tracking cookies on our solutions, with exception of Google's reCAPTCHA on just the login pages for brute-force protection. Other than that, functional system essential cookies only.

• Companies claim that their datacenter is ISO accredited and therefore their data is secure. It is not enough that the provider uses an ISO accredited datacentre if the company using the software, or the software itself aren’t held to the same standards.
• It is not enough that the provider “works” to ISO or PCI-DSS standards; they are not inspected annually, by an independent external auditor.
• It is not enough to password protect your documents and send them using traditional email; these are easily accessed.
• Storing all your data in an encrypted Sharepoint-like environment without the proper use of access management has still proven to be vulnerable to phishing.
• Solutions like WeTransfer do safely store your documents, but anyone with the given link and/or password can access them. These solutions are not intended for sharing sensitive data.

You need a reliable, robust, secure and GDPR compliant* solution provided by an ISO accredited specialist in data security.