We take the security of your data very seriously. These are some of the steps we're taking to protect you and your team:
All pages are only available to logged in users with the proper credentials within your team, and we have several roadblocks throughout our systems to make sure of this. You or any team administrator can revoke or refine access to any team member at any point.
All of your files are safely uploaded to our servers. There, the filename is obfuscated and the file is encrypted. In order to access your files, a protected signed URL is generated. This URL can't be guessed and changes on every request. Even if someone manages to get ahold of a URL for a file, unless they're logged in and they're part of your team, they won't be able to see your files.
When fixing bugs or adding new features, our developers, unlike other tech companies, don't have access to user data. All of their work happens with sample data, that is completely separated from your data.
This double-protects your data: Our employees don't see your data and can't behave as whistleblowers with your information and can't, by mistake while trying something new, delete the data of any existing user.
All of our data is stored in several datacenters in the United States managed by Amazon Web Services. Our enterprise customers have all of their data stored in a separate dedicated server, database and file storage system, strategically located in a region near their main offices or physical location where it's going to be used the most.
We store all of your data for 30 days. This allows you not to lose your account by mistake, because of your loss of your account credentials or due to hacking. After this grace period, we will proceed to remove your files from all of our servers.
We enable Two-Factor Authentication on most of our apps and we recomment it for all of our users. Our systems, depending on the app or solution, provide several types of Two-Factor Authentication.
Our Accounts Management System keeps track of where and how you usually log-in (your location and the devices you have associated) and when suspicious activity arises, it triggers Two-Factor Authentication automatically.
We follow the BeyondCorp Zero Trust security framework, modeled by Google. This means, in a nutshell, that our systems don't trust anyone...not even you or ourselves. This adds increased security throughout the entire platform.
The framework consists in the following principles:
Perimiterless Design: Connecting from a particular network must not determine which services you can access.
Context-Aware: Access to services is granted based on what we know about you and your device.
Dynamic Access Controls: All acess to services must be authenticated, authorized and encrypted.