DocEvent.io Support Center

Contact Us
  1. Support
  2. General
  3. Legal
  4. Security at DocEvent.io

Security at DocEvent.io

Placing your data in the hands of a third-party provider requires robust security precautions. Safeguarding your data's security and integrity is paramount to us, and we have designed our services with this in mind. We regularly conduct risk assessments, which guide the implementation of security measures and controls to ensure risks are minimized to an acceptable degree.

This article outlines the technologies and processes we use to protect your data and provides insight into our security culture. While we strive to be clear and legally precise, this sometimes means the explanations may not be the simplest. If anything is unclear, feel free to reach out through the Contact Support page.

Security at DocEvent.io

DocEvent.io is an online FTP service designed with an easy-to-use interface and a strong focus on data security. The confidentiality, integrity, and availability of your data are critically important to us, and our services are built around this principle.

Our goal is to ensure our clients’ security while using DocEvent.io, and to assist them in achieving certifications and compliance with relevant regulations through our platform.

To uphold this commitment, our Simple FTP service is designed so that, by default, we are unable to view your data, whether in transfer or at rest. This core principle guides everything we do. Additionally, we are in the process of completing and certifying for various international standards to further strengthen our security posture.

PCI DSS

The DocEvent.io platform does not store payment data. We rely on a PCI DSS certified third-party service to securely accept and process credit card information in compliance with these standards, ensuring security whenever the Payment question is used.

Using a PCI DSS certified third-party service guarantees compliance with the Payment Card Industry Data Security Standards (PCI DSS 3.2) and the Revised Directive on Payment Services (PSD2).

OWASP

We adhere to OWASP guidelines in the secure development and testing of our applications.

NIST

We follow the NIST Cybersecurity Framework, which offers a policy framework for computer security guidance. This framework helps us assess and enhance our ability to prevent, detect, and respond to cyber attacks.

FIPS

We adhere to FIPS standards in all our systems that involve cryptographic methods.

Security monitoring and auditing

DocEvent.io collects application, infrastructure, and system logs in a centrally managed log repository for monitoring, troubleshooting, security reviews, and analysis by authorised personnel. Logs are retained in compliance with regulatory requirements to support investigations in the event of a security incident.

Security organisation

DocEvent.io has an information security department that is specifically responsible for and accountable for security administration. This department directly manages and oversees risk assessment, the development of policies, standards, and procedures, testing, and security reporting processes.

A Security Committee, composed of the highest-level decision-makers and management in the organisation regarding information security, is also in place. The Security Committee is responsible for ensuring compliance with corporate security principles, defining security and business continuity initiatives, and ensuring the security of both the company and the platform.

Physical security

DocEvent.io’s infrastructure is hosted by Amazon Web Services (AWS), with our main servers located in the us-east-1, ap-southeast-2, and eu-west-1 regions. Our primary authentication for web login is handled by a Cognito service in AWS us-east-1.

As of 2019, DocEvent.io operates as a 100% remote company worldwide, making AWS data centres our only physical premises.

All physical security measures for AWS facilities are governed by the AWS Shared Responsibility Model.

Segregation levels

We segregate access to our data across different levels:

Network security

Each of our environments is hosted in separate AWS Organisations within Amazon Web Services.  Access to servers are tightly controlled by security groups.

To provide an additional layer of internal and external network security, we have implemented state-of-the-art perimeter controls, including Firewalls, Intrusion Detection Systems, Web Application Firewalls, and other advanced security measures at the edge locations.

Access to our servers is strictly limited.

Access control

Access to DocEvent.io resources is only allowed through secure connectivity methods such as AWS SSM, along with multi-factor authentication. We adhere to the principle of least privilege, ensuring that every access is audited, tracked, and monitored so that employees only have the permissions necessary to perform their duties.

This approach ensures that employees can only access DocEvent.io systems via an extra-secure connection. When someone leaves the company, their access is immediately revoked.

Access to customer data by DocEvent.io

Our Simple FTP Service is designed so that we are not able to view customer data as it is transferred to the customers chosen backend servers.  It is designed so to be able to pipe data from an incoming sftp or FTPs connection directly to the endpoint of the customers choice, e.g. Azure, AWS, GCS or other S3 compatible service.

Our Channels Service stores data in encrypted S3 buckets that are not publicly accessible and adhere to our network security and access control principles, we remove data immediately once:

Keys to access any customer buckets, or customer services / endpoints including any private configuration information and passwords are encrypted using AWS KMS, the service is designed so no staff have access to the keys, and are unable to use the keys for decryption.

DocEvent.io stores personally identifiable information (PII) of the following:

Security policies and awareness

We maintain a comprehensive set of information security policies aligned with the ISO 27001 standard to ensure compliance and to guide our employees and contractors in making sound security decisions. These policies cover a range of areas, including password management, data protection and classification, secure communications, continuity and contingency planning, acceptable use of workstations and mobile devices, and backup procedures, among others. We review and update these policies at least annually or whenever a significant change occurs.

All employees and contractors are bound by non-disclosure agreements, and we provide ongoing security awareness training throughout the company. Additionally, all service providers and contractors who process any personal data you have entrusted to us are required to sign data processing agreements in accordance with European data protection laws, ensuring an adequate level of protection.

This ensures that everyone at DocEvent.io adheres to our internal security guidelines, receives regular training on them, and operates under policies that are consistently updated.

Penetration tests

As part of our security strategy, we engage well-recognised security research firms to conduct penetration tests on our platform. Vulnerabilities and findings are ranked by severity and prioritised for resolution accordingly.

This means we bring in security experts to rigorously test the boundaries of our security infrastructure, helping us identify and address any potential weaknesses.

Vulnerability assessments and penetration tests are integral to our Cybersecurity Control policy and S-SDLC procedure:

Web application reviews for detecting vulnerabilities in all web services exposed to the internet are conducted at least once per quarter.

Intrusion tests and expert security reviews are performed to identify nonconformities with security requirements and evaluate robustness against these types of attacks.

Data protection measures

Once your information enters DocEvent.io’s systems, it is secured with multiple layers of encryption and access controls. We encrypt your data in transit (end-to-end, including within the virtual private cloud at AWS) using secure TLS cryptographic protocols (TLS 1.2 & TLS 1.3). Data at rest, including backups, is encrypted using the Advanced Encryption Standard (AES) with a 256-bit key.

Additionally, all workstations and devices used by DocEvent.io are fully encrypted to ensure the confidentiality of the information they hold.

Data retention

Customer data is retained for as long as necessary based on the purposes for which it was collected and in accordance with applicable laws. Additionally, certain data may be legally required to be kept indefinitely. However, if you wish to have your data completely removed from the DocEvent.io platform, you can request deletion at any time through our standardized process and procedure by contacting support@docevent.io

DocEvent.io is designed to be both scalable and fault-tolerant. If one machine fails, another is immediately ready to take over. This redundancy is built into all levels of the platform.

In line with AWS best practices, we utilize a Multi-Availability Zone architecture. If an entire Availability Zone fails, the remaining machines in the functioning zones can continue to run the entire service.

In the event of a failure in one region, our service will remain available in all other regions.

We also maintain redundant backups of critical data, which are transferred to a separate AWS location and organisation to ensure business continuity in the event of a disaster. Backup retention is set to 30 days.  Our snapshots are executed once every 4 hours.  In the event of a critical disaster and a restore is necessary all data from the previous snapshot will be restored.

DocEvent.io implements various integrity security controls across its services and servers to ensure the quality, accuracy, and completeness of data throughout its entire lifecycle.

Asset management

DocEvent.io maintains an asset management policy that includes the identification, classification, retention, and disposal of information and assets.

DocEvent.io devices are equipped with full disk encryption and up-to-date antivirus software that reports to a centralised control system, utilising real-time, scanless monitoring technology.

Access to DocEvent.io devices is secured by multi-factor authentication (MFA) and Mobile Device Management (MDM) technologies, providing an additional layer of security. In the case of a disaster only DocEvent.io and verified devices are permitted to access corporate networks - however, in general day-to-day business, no access is granted to any device, whether it is within our assets or not.

Information security incident management

DocEvent.io has security incident response policies and procedures that comply with Articles 34 and 35 of the GDPR. These policies outline the necessary steps to handle security incidents, including initial response, investigation, and notification in accordance with applicable laws. Additionally, the company has established a Personal Data Breach Notification procedure to notify both EU and US supervisory authorities, as well as affected data subjects, in line with GDPR and other data protection regulations.

All suspected or confirmed privacy or data security incidents must be reported following our security policies. DocEvent.io employees who identify a potential incident are responsible for initially classifying its severity based on their assessment. All incidents must be reported as soon as possible after identification, without undue delay.

We are committed to keeping our customers fully informed about any matters relevant to the security of their account and to providing all necessary information to help them meet their own regulatory reporting obligations.

You can communicate with our Security department via support@docevent.io

Continuity

DocEvent.io has well-defined contingency and continuity plans based on comprehensive risk analysis. In the event of an emergency, these specific contingency plans are designed to ensure the continuation of critical business processes while safeguarding the integrity of data as the organisation operates in emergency mode.

Development

Our development team utilizes secure coding techniques and best practices, with a focus on the OWASP Top Ten, under the supervision of the Security department. Developers receive periodic training in secure practices, starting from their onboarding.

Test and production environments are completely isolated and separated, both by VPC and by AWS Organisation. All changes undergo thorough reviews for performance, audit, and security considerations before being fully deployed to the production environment. Multiple approvals are required before implementing changes in production to mitigate risks, including those from internal sources. DocEvent.io never uses real data in non-production environments.

Any impact on the service can be monitored at any time on the DocEvent.io status page.

Virtualisation security

DocEvent.io applications are built using a microservice architecture with a container orchestration system for automatic software deployment, scaling, and management. This architecture is supported by a service mesh that facilitates service-to-service communication between microservices, ensuring secure connections and monitoring of services.

DocEvent.io implements controls to secure workloads at various stages—build, deploy, and runtime. These controls include image scanning, securing CI/CD pipelines, secrets management, encryption, observability, and threat detection.

Secret authentication information management

DocEvent.io customers can authenticate using a local password, their credentials are securely stored in a third-party authentication cloud (AWS Cognito, in the us-east-1 region), utilizing salted bcrypt with a high number of rounds to protect passwords.

Customers can reset their passwords or unlock their accounts using their pre-configured email addresses at any time.

DocEvent.io also provides a two-factor authentication (2FA) mechanism that customers can easily enable.