At Uva Software, LLC (the company behind Scanii.com) we strive to apply the latest physical and logical security methodologies to protect our customer data at rest and in transit - this is why customers should trust us.
Access control and organizational security
All of our employees and contractors sign confidentiality agreements before gaining access to our code and privileged/production access is only given to those that need it in order to do their jobs.
We require all employees to follow common security practices:
● Disk encryption for all company provided IT equipment
● Utilize unique strong passwords securely managed by a password manager
● Enable two factor authentication for all sites that support it
All production operations happen using Amazon Web Services and we require two factor authentication for console and remote access.
No software is perfect and today’s applications rely on an ever growing number of third party open source libraries. To help quickly react and address software vulnerability problems we have a simple and effective bounty system in place that, over the years, has paid thousands of dollars for responsible vulnerability disclosures. You can find more about it here .
We also submit to a yearly penetration test done by a reputable third-party security company with a report available upon request.
We deploy a network-based automated intrusion detection system (IDS), AWS GuardDuty, in all regions we operate. This system continually analyzes our CloudTrail, VPC Flow as well as DNS request logs and triggers an alert if suspicious activity is identified.
Audit, Security Policies and Standards
We submit a self-assessment for PCI compliance yearly (SAQ) and a copy can be provided upon request after an NDA is signed. As a company we do not currently plan on performing a SOC audit of our own, but we rely solely upon Amazon Web Services for our data center needs and they have an extraordinarily strong compliance policy - we are also able to share their SOC and ISO reports upon request.
Software Development Lifecycle
Software is inherently hard hence we strive to use the latest methods and tools to deliver the most reliable, secure and capable product to our customers. Today, this is how we create software:
- Features and bugs start as Github issues against a specific source code project. Severity and other metadata is assigned to the issue via labels.
- Engineering and Product prioritize the features that should receive immediate engineering time
- Development starts against a specific issue culminating with a pull request for review, automated testing and eventual upstream merge. Once the pull request is merged the issue ticket is closed
- Once merged our CI/CD service will build, test and deploy the changes to production using Amazon tooling on a per reason basis (for multi region services)
- In case of a regression, the deploy will be rolled back to the previous version
Intellectual property protection
Protecting our rights
Like most modern businesses, we rely upon a large amount of open source software to deliver our services to customers. To protect against the accidental introduction of a viral license (such as GPL ) in our codebase we utilize an automatic license checker integrated into our source code build infrastructure. Software acquired via other means is manually tracked in a separate licenses.yml file included in our source code for manual auditing.
Protecting the rights of others
Employees must comply with all applicable laws regarding handling and modifying IP owned by others and we claim no ownership of content submitted for analysis by our service.
Data sovereignty, protection and privacy
We built our product to have a strong data sovereignty stance from the beginning by deploying region specific versions of our software across data centers in the US, Europe and Australia. Content sent to a specific processing region will never traverse to another.
We never permanently store customer files. Your data is only in our servers for the extent of time necessary to process and fingerprint it (usually seconds), after that we store metadata about its content to help us improve the overall engine accuracy. All stored metadata is inferred and will never include any user provided information such as file name or type.
For content identification engines that require image processing, we may submit your content to other Amazon services within the same processing region. These services will also never permanently store your files or utilize it for their own training.
Encryption in transit and at rest
In transit (that is, as your files are being transferred via the internet) all traffic is encrypted using state of the art TLS encryption with certificates provided by Amazon’s Certificate Manager .
At rest (that is once your files have reached our content processing servers) your files are buffered to encrypted disks using industry standard AES-256 for processing.
We strive for A+ TLS settings grade by ssllabs and you can review our scores for yourself here:
Other data points, such as your email and information about your API keys are all stored in an encrypted RDS database or encrypted S3 bucket - both also use the AES-256 algorithm.
All account passwords are hashed using NIST recommended PBKDF2.
We utilize state of the art datacenters from Amazon Web Services in multiple regions utilizing the latest in physical and logical security. You can find out more about it here https://aws.amazon.com/compliance/data-center/controls/ .
Backup and disaster recovery
We ensure that all production systems that store state related to providing our services to customers comply with the following backup strategy:
● Daily backups for 30 days
● Point in time restore capability for all databases
● All backups must be remotely stored
A business continuity plan ensures that our company could recover from a catastrophic incident in 24 hours or less by re-deploying our services to another Amazon Web Services region.
At Uva Software, LLC we understand that holding on to customer data, even if for a split second, comes with a lot of responsibility and it could make or break our company. That’s why, since 2007, we have been investing in people and technology to earn your business and provide the best quality content identification service so you can trust your user generated content.