Security at SROP
Self-destructible messages and secure drop areas for your clients, are but a few of SROP's features that enable you to safely and securely send and receive sensitive information and documents.
01
Platform and Network Security
-
Test all services in an automated manner with an achieved test coverage of above 95%.
-
Automated controls to keep our platform dependencies and infrastructure updated.
-
Daily automated vulnerability scans on our public API and systems.
02
Encrypted During Transit and Storage
-
All of our data are stored encrypted.
-
Data encryption uses a minimum of a 256 bit key.
-
Each company has their own encryption key (no shared keys).
-
All encryption keys are stored on specialized hardware (AWS KMS).
-
All transfer of data is performed over HTTPS (TLS >= 1.2) with no less than a 2,048 bit key.
03
Storage of Secrets
-
All secrets are stored using AES256 symmetric encryption.
-
All secrets are stored into separate physical databases with stricter access controls.
-
Keys for encrypting and decrypting are stored on AWS KMS.
-
When a password is provided it is mixed into the encryption key.
04
Data Retention & Disaster Recovery
-
Backup of Secrets, “secret requests” and other sensitive objects are on a 1 day retention due to their sensitive nature.
-
Automated controls to keep our platform dependencies and infrastructure updated.
-
Customer and Audit log data are destroyed after 10 days from account deletion.
-
Dissaster Recovery scenarios are exercised quarterly and runbooks are updated or created as needed.
Compliance & Governance
SROP is in the process of getting ISO27001 certified.
All the data centres SROP uses are readily compliant with ISO27001, SOC-1,2,3 PCI-DSS L1 and more.