Legal

AttachmentScanner Security Overview

This document outlines the security measures that also form part of our privacy policy in an easier to digest format.

Security

We take security incredibly seriously. Although this article describes a number of our practices please feel free to contact us for more details or to request a copy of our security white-paper.

We employ both automated and manual scans of our applications for vulnerabilities and security issues. If an issue should arise we attempt to promptly deal with it as appropriate.

  1. Data Center Security

    The security of our Data depends on the Provider in use. By default account information is held within Amazon Web Services (AWS).

    AWS has a robust and dedicated team constantly monitoring their data centers and security. AWS continually manages risk and undergoes recurring assessments to ensure compliance with industry standards. More information can be found at https://aws.amazon.com/compliance

    AWS’s data center operations have been accredited under:

    HIPAA, CSA, ISO 9001/27001/27017/27018, SOC 1/2/3, PCI Level 1, FISMA, Sarbanes-Oxley (SOX) And many others

    We're also very careful about access to our infrastructure. Please contact us if you need to know more.

  2. Cluster Security

    Each cluster stores all of the data it needs to operate. This means that data stored within a cluster, such as file and scan information never leaves the region of the cluster itself.

    This helps significantly when regional data concerns such as GDPR are in play.

    Clusters are created in AWS by default but can also be created in Azure and Google platforms among others. Please contact us for information about specific suppliers.

  3. Encryption

    • Communication with our customer-facing website takes place over HTTPS and TLS.

    • All scanning clusters communicate with the core API and customers over HTTPS and TLS.

    • Communication within the cluster between scanning engines happens over TLS encrypted channels.

    • Communication between clusters and their storage system (database) happens over TLS.

    • When provided with a URL to scan we will use TLS if an HTTPS URL is provided.

    • Our billing provider independently stores all credit card and billing data at the highest levels of security.

    • Where possible all data (including uploaded/downloaded files) is stored encrypted at rest.

  4. GDPR & Privacy Shield

    We are fully compliant with GDPR and related privacy laws. For more information please see the privacy policy data section

  5. Retained Scan Information

    To provide our service we must store the following information:

    Attribute Description
    URL The URL of the file (if it was passed)
    filename The filename of the file
    MD5 An MD5 hash of the file. This helps identify the file but cannot be used to determine the content of the file.
    SHA256 An SHA256 hash of the file. Like the MD5 hash, this helps identify the file but cannot be used to determine the content of the file.
    Status The scan status.
    Content-Length The size of the file.
    Matches The name of the virus/malware found (if any).

    By using hashing we can create a unique identifier for a file without actually referencing the contents. For more information about hashing feel free to contact us.

    Additional fields may be added as the product continues to improve. More information regarding the information stored can be found in the documentation.

    As outlined above, where possible this data and the content of any files we scan are stored encrypted. The actual file contents will be deleted as soon as a scan has been completed.

  6. Reporting Issues

    1. If you think something should have been found but it wasn't then please contact us. We may ask for a copy of the file to determine why nothing was discovered.

    2. If you think there is a security issue with our platform please see our disclosure policy.

Security Document Last updated: 2020/03/13