Security

Security in our products 
Our products are used to send and receive information securely, to avoid data leaks and comply with the concerning privacy and information protection regulations. Therefore, users rely on us when content matters. Zivver has implemented the security measures below in its products and continues to look for further improvements and upgrades. 

Protecting your Data 
All our user data is securely stored in our Virtual Private Cloud, which is spread across multiple ISO27001 certified and SOC 2 certified data centres in the European Union. This guarantees that the infrastructure complies to the most stringent access and maintenance standards where all data remains within the European Union. Currently we use AWS data centres (eu-west-1) for this purpose.
At Zivver we work continuously to guarantee the availability of user data. Our databases are structured in a redundant setup over two availability zones. This means if, in the unlikely event, one availability zone becomes unavailable, we can instantly switch to the other zone and ensure continuity. We have point in time recovery for 30 days, which means we can recover our data to any point in time in the last 30 days. Additionally a daily snapshot is made and copied to an alternative site. This backup is kept safely for 30 days as well. This mitigates the risk of unintended data loss.  

Encrypting your Data 
User messages are always encrypted with best practice encryption. Currently messages are encrypted with AES Encryption. Subsequently the AES Symmetric key is asymmetrically encrypted using RSA 2048. The (RSA) key to decrypt messages is derived from a secret provided by the user, which is either his or her password or a secret provided via a Single Sign On call by the organization he or she works. Zivver does not store the secret, nor the decryption (private) key. This means that nobody but the sender and the recipient of the message can decrypt the message and read its content.

Email Security
Zivver has implemented all industry best-practices regarding email security. These include DNSSEC, SPF & DKIM alignment and DMARC. These protocols are providing assurance to both senders and recipients regarding the authenticity of the sender and recipient. In other words, it provides assurance that the sender and the recipient are who they ‘say’ they are and offers protection against SPAM, phishing and impersonation.

Monitoring 
All Zivver services are continuously monitored to ensure that abnormalities are quickly investigated and can be acted upon. Additionally, logging is in place and configuration changes are kept in revision control. 

Secure Developing 
Our goal is to keep our software free of security bugs. Our developers work according to best practices and security principles, such as the OWASP top 10, which are always top of mind and applied. All development work follows strict checks and balances and new software features are fully tested by Q&A. For technical staff knowledge of information security is mandatory and the knowledge is kept up to date by continuous training. 

Security Testing
Multiple times per year we let our product and infrastructure be tested by independent, world class, researchers. Not only from the outside (black box testing), but also from the inside by giving the researchers accounts (grey box testing). 

Additionally, we have an active vulnerability disclosure program. We motivate researchers from all around the world to identify and report any potential security issues or other security weaknesses in our product and platform. This also really challenges us to continuously look for improving the security of our product. 

Identity and Access Management 
To keep access to the user data secure, Zivver enforces strong authentication for account access. Users can login to their account using their password and an SMS code or time-based one time password (for example using Google Authenticator). 

Next to that, managing user accounts and keeping control over user access is made easy through SCIM and the so-called Sync tool, through which accounts in Zivver are automatically kept in sync with accounts in the customer’s Active Directory. 

Security is a moving target
Keeping the product secure is one of Zivver's highest priorities. We continually keep an eye on trends in security, new technologies and new legislation to ensure we maintain our high standards. For this purpose, our personnel actively participate in to the latest knowledge programs and relevant courses. 

Security in our organisation
At Zivver we want to do our utmost to ensure our entire organisation is as secure as it can get. As an important step, Zivver has already for many years a fully operational Information Security Management System (ISMS) that covers all information security risks and controls. This system includes a standardized ‘plan, do, check, act cycle’ that guarantees continuous improvement.