While encryption is an essential practice to apply to your data storage, it is wrong to assume this is sufficient to keep your data secure. Encryption is the last barrier limiting the damage of a potential leak, but ideally, there is no data leak in the first place. First and foremost you want to prevent data leaks, limit the scope of data leaks, and when all else fails limit the content of data leaks.
So that is what we set out to do.
Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks. Cyber Essentials focuses on the five essential elements for cyber security; secure configuration, boundary firewalls, access controls, patch management and malware protection. We are delighted to hold the Cyber Essentials Certificate.
All connections are served and enforced via HTTPS over TLS 1.3. Access to our RESTful interface is restricted via strong password (preferably 32-64 characters) requirements and optionally using IP whitelisting or using additional API keys. Passwords are securely stored using Argon2i.
We invest substantial effort in keeping our servers secure. All traffic is blocked by default, then re-opened based on need. Server access is limited to dedicated passthrough servers using secure RSA keypairs. Our servers and images are scanned daily for vulnerabilities, and patched accordingly.
When it comes to encryption, we take it very seriously. We apply multi-level encryption using established and secure protocols and ciphers only. This goes as far as having a unique encryption key pairs per file ensuring no unauthorized entity can ever access another person's data. These encrypted files are in turn stored in an external (non-Amazon, Dutch hosted) S3 bucket as a backup.
Our servers are protected by security scans and threat detection tools. Several of our customers run yearly penetration tests on the environments to verify the integrity of our solution. There hasn't been any successfull attempts at gaining unauthorized access to either the web environments or the servers. We do however greatly value these tests, as they might point out some other issues like slightly outdated packages or suboptimal approaches that could be updated.
We do not allow ourselves or any third party to analyse, sell or share your data. Unless specifically requested by our customers we do not even use tracking cookies on our solutions, with exception of Google's reCAPTCHA on just the login pages for brute-force protection. Other than that, functional system essential cookies only.
You need a reliable, robust, secure and GDPR compliant* solution provided by an ISO accredited specialist in data security.