Security

Encryption

A general consensus seems to be that encrypting files is enough to guarantee security, however, we disagree, and as such aspire to go much further. While encryption is essential, it is the last barrier preventing your data leak from being somewhat harmless X into being devastating. First and foremost you want to prevent data leaks, then limit the scope of data leaks, then limit the content of data leaks. So that is what we set out to do.

Certifications

ISO27001 & Datacenters

View our ISO27001 Certificate
SECUREDD is part of the SSLPost Group Europe and this guarantees that our software and servers are ISO27001 certified. We set high requirements for our providers and strictly use datacentres within the Netherlands owned by EU-based entities. That means no Amazon, no Google, Microsoft, IBM, Oracle or NSA/CIA having unfettered access to your storage through backdoors implemented using the Patriot Act.

Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.  Cyber Essentials focuses on the five essential elements for cyber security; secure configuration, boundary firewalls, access controls, patch management and malware protection.  We are delighted to hold the Cyber Essentials Certificate.

Connections

All connections are served and enforced via HTTPS over TLS 1.2 or TLS 1.3. Access to our RESTful interface is restricted via strong password (preferably 32-64 characters) requirements and optionally using IP filtering or additional API keys. Our passwords are only stored as salted hash using Argon2i.

Servers

Our servers are hardened by starting out with every port blocked, and only opening the required in- and outbound ports after. The only access to the server is via SSH using an AES-256 key. Our servers are scanned daily for vulnerabilities, and patched accordingly.

When it comes to encryption, we take it very seriously.  We apply multi-level encryption using established and secure protocols and ciphers only. This goes as far as having a unique date encryption key per file, so no unauthorized entity can ever access another person's data. These encrypted files are in turn stored in an external (non-Amazon, Dutch hosted) S3 bucket as a backup.

Auditing & security scans

On top of our own security scans and threat detection tools we also let ourselves be audited by dedicated security testers multiple times per year.Since the launch of our platform in  2010, they have never achieved a breach or other serious security issue.

Our policy is that we or a third party are not allowed to analyse, sell or share your data with anyone. Unless specifically requested by our customers we do not even use tracking cookies on our solutions. Functional system essential cookies only.

Some common misconceptions:

  • Companies claim that their datacenter is ISO accredited and therefore their data is secure. It is not enough that the provider uses an ISO accredited datacentre if the staff , the software or the OS hosted on the server aren’t held to the same standards.
  • It is not enough that the provider “works” to ISO or PCI-DSS standards; they are not inspected annually, by an independent external auditor.
  • It is not enough to password protect your documents and send them using traditional email, these are easily hacked.
  • Storing all your data in an encrypted Sharepoint-like environment without the proper use of access management has still proven to be fallible to phishing.
  • Solutions like WeTransfer do safely store your documents, but anyone with the given link and/or password can access them. These solutions are not intended for sharing sensitive data.

You need a reliable, robust, secure and GDPR compliant* solution provided by an ISO accredited specialist in data security.