Security

More than just encryption

While encryption is an essential practice to apply to your data storage, it is wrong to assume this is sufficient to keep your data secure. Encryption is the last barrier limiting the damage of a potential leak, but ideally, there is no data leak in the first place. First and foremost you want to prevent data leaks, limit the scope of data leaks, and when all else fails limit the content of data leaks.

So that is what we set out to do.

Certifications

ISO27001 & Datacenters

View our ISO27001 Certificate
SECUREDD is partner and official reseller of the SSLPost Group Europe, fully ISO27001 certified. We set high requirements for our providers and strictly use datacentres within the Netherlands owned by EU-based entities, all also certified for ISO27001 and more. That means no Amazon, no Google, Microsoft, IBM, Oracle or NSA/CIA having unfettered access to your storage through backdoors implemented using the Patriot Act. 
Cyber Essentials is a government-backed, industry supported scheme to help organisations protect themselves against common cyber attacks.  Cyber Essentials focuses on the five essential elements for cyber security; secure configuration, boundary firewalls, access controls, patch management and malware protection.  We are delighted to hold the Cyber Essentials Certificate.

Connections

All connections are served and enforced via HTTPS over TLS 1.3. Access to our RESTful interface is restricted via strong password (preferably 32-64 characters) requirements and optionally using IP whitelisting or using additional API keys. Passwords are securely stored using Argon2i. 

Servers

We invest substantial effort in keeping our servers secure. All traffic is blocked by default, then re-opened based on need. Server access is limited to dedicated passthrough servers using secure RSA keypairs. Our servers and images are scanned daily for vulnerabilities, and patched accordingly.
When it comes to encryption, we take it very seriously. We apply multi-level encryption using established and secure protocols and ciphers only. This goes as far as having a unique encryption key pairs per file ensuring no unauthorized entity can ever access another person's data. These encrypted files are in turn stored in an external (non-Amazon, Dutch hosted) S3 bucket as a backup.

Auditing & security scans

Our servers are protected by security scans and threat detection tools. Several of our customers run yearly penetration tests on the environments to verify the integrity of our solution. There hasn't been any successfull attempts at gaining unauthorized access to either the web environments or the servers. We do however greatly value these tests, as they might point out some other issues like slightly outdated packages or suboptimal approaches that could be updated. 

We do not allow ourselves or any third party to analyse, sell or share your data. Unless specifically requested by our customers we do not even use tracking cookies on our solutions, with exception of Google's reCAPTCHA on just the login pages for brute-force protection. Other than that, functional system essential cookies only.

Common misconceptions

  • Companies claim that their datacenter is ISO accredited and therefore their data is secure. It is not enough that the provider uses an ISO accredited datacentre if the company using the software, or the software itself aren’t held to the same standards.
  • It is not enough that the provider “works” to ISO or PCI-DSS standards; they are not inspected annually, by an independent external auditor.
  • It is not enough to password protect your documents and send them using traditional email; these are easily accessed.
  • Storing all your data in an encrypted Sharepoint-like environment without the proper use of access management has still proven to be vulnerable to phishing.
  • Solutions like WeTransfer do safely store your documents, but anyone with the given link and/or password can access them. These solutions are not intended for sharing sensitive data.

You need a reliable, robust, secure and GDPR compliant* solution provided by an ISO accredited specialist in data security.