Security

We take your data security seriously. The following information answers many of the common questions about data security with cloud-computing. If you have further questions, please contact us at info@bundledocs.com.


How Does Bundledocs Secure My Data?

In-Transit

Bundledocs uses TLS encryption technology to ensure a secure channel of communication between our servers and the user’s browser. Any communication between our web servers and operational services such as our data storage service or document processing service is secured in this way. This ensures that at no point can Bundledocs data be deciphered during any routing operations.

 

At-Rest

Bundledocs uses [AES] in order to encrypt data. Specifically, [Cipher Block Chaining (CBC)] mode with AES.

Bundledocs Encryption Keys are managed and maintained in the [Azure Key Vault service] and access to those Keys is securely provided by [Azure Active Directory] through a [secure token exchange mechanism].

 

Where Is My Data Physically Stored?

Bundledocs’ data is stored in Europe, in Microsoft’s Azure Cloud data centres in Dublin, Ireland and Amsterdam, Netherlands. Bundledocs is a true cloud based solution and as such the data may be retrieved from either location during disaster recovery or redundancy scenarios.

 

What Certifications Do These Data Centers Have?

Microsoft’s Azure Cloud operates in the Microsoft Global Foundation Services (GFS) infrastructure, portions of which are ISO27001-certified, ensuring an industry standard degree of data centre security.

ISO27001 is recognized worldwide as one of the premiere international information security management standards.

Responsibility for compliance with laws, regulations, and industry requirements remains with customers, but Microsoft is committed to helping them achieve compliance.

For more information visit:

http://export.gov/

http://www.bsigroup.com/

 

How is access to my data managed?

System Level

Best practices for data security are followed to ensure that only authorized access to Bundledocs data is provided.

Bundledocs application and database servers are hosted in Microsoft data centers. Connections to the database are always encrypted, and unencrypted connections are disabled.

Note: Windows Azure Achieves IS0 27001 Certification from the British Standards Institute.

 

Application Level

We have procedural measures in place, such as access restrictions on service operations to prevent any possibility of unauthorized access to your data and documents. Bundledocs is the only service that can retrieve your documents in an unencrypted way. In the unlikely event of any data being maliciously retrieved from Microsoft’s data storage services, the data would never be readable due to the data encryption measures we have in place.

 

User Level

User level access is negotiated using the oAuth specification.

 

Authentication, Session Management, & Access Control

User credentials are encrypted and uniquely salted to protect them in case of unauthorized access. Every piece of the Bundledocs infrastructure provides encryption in-transit. All communications from the browser to the application as well as the application to the database, membership server and file storage are encrypted using SSL.

Bundledocs authenticates and authorizes every request to the application. This ensures that users are only capable of viewing data and performing actions they are permitted at the time of the request.

  • Users are logged out of the application after a period of inactivity. This ensures that unwanted access is not possible if a user leaves their account unattended.
  • Passwords are recovered by sending a reset password request to the users email address. This ensures that only the user with access to the users email account can change a password. 

 

For how long is my data stored?

In terms of retention periods of your completed bundles.  The standard is up to six versions of any completed bundle are retained. So if you created a seventh version of a particular bundle, the first will be deleted automatically.  You can also delete any version manually if you choose to do so.

A bundle will stay on the server until it’s deleted by the user or for 3 months after a users’ account has expired.

We do maintain backups for 7 days so it is possible that the data may be contained within the backups for up to 7 days.

 

How is disaster recover handled?

Bundledocs uses Azure Storage replication for disaster recovery and protection. Visit Microsoft Azure for more information.

 

XSS & Input Validation

ASP.Net Request Validation - prevents the server from accepting content containing un-encoded HTML. This feature is designed to help prevent some script-injection attacks whereby client script code or HTML can be unknowingly submitted to a server, stored, and then presented to other users. While input validation should always be performed both on the client and server, request validation provides a powerful filter on all incoming requests before they even reach the application.

ASP.Net MVC3 .Aspx View Engine - We encode all HTML output by default to protect against malicious user input that wasn’t properly validated. Validating user input is a key principle of building secure applications but this additional layer of security provided by the framework gives additional protection. 

 

How Do I Report A Security Incident?

Please contact us if you have you have experienced an incident with your account. Once we receive your report, we’ll send you an email telling you the best way to track the status of your report. We’ll begin to investigate the incident right away, and work with you to make sure we fully understand the problem. However, we won’t disclose any issues until we finish the investigation. Once the investigation is complete and the issue resolved, we’ll post a security update on our site giving you thanks and credit for the discovery.

 

How Can I Learn More About Cloud Security?

If you have other questions regarding how we keep your information secure, simply call us on +353 (0)21 482 6320 or

submit a request and we’ll get back to you as soon as possible.

 

Useful Links:

UK Law Society – Data Protection

ICO - Guide to Data Protection