Information Security at Zivver
December 2021
Security in our products
Our products are used to send and receive information securely, to avoid data leaks and comply with the concerning privacy and information protection regulations. Therefore, users rely on us when content matters. Zivver has implemented the security measures below in its products and continues to look for further improvements and upgrades.
Protecting your Data
All our user data is securely stored in our Virtual Private Cloud, which is spread across multiple ISO27001 certified and SOC 2 certified data centres in the European Union. This guarantees that the infrastructure complies to the most stringent access and maintenance standards where all data remains within the European Union. Currently we use AWS data centres (eu-west-1) for this purpose.
At Zivver we work continuously to guarantee the availability of user data. Our databases are structured in a redundant setup over two availability zones. This means if, in the unlikely event, one availability zone becomes unavailable, we can instantly switch to the other zone and ensure continuity. We have point in time recovery for 30 days, which means we can recover our data to any point in time in the last 30 days. Additionally a daily snapshot is made and copied to an alternative site. This backup is kept safely for 30 days as well. This mitigates the risk of unintended data loss.
Encrypting your Data
User messages are always encrypted with best practice encryption. Currently messages are encrypted with AES Encryption. Subsequently the AES Symmetric key is asymmetrically encrypted using RSA 2048. The (RSA) key to decrypt messages is derived from a secret provided by the user, which is either his or her password or a secret provided via a Single Sign On call by the organization he or she works. Zivver does not store the secret, nor the decryption (private) key. This means that nobody but the sender and the recipient of the message can decrypt the message and read its content.
Email Security
Zivver has implemented all industry best-practices regarding email security. These include DNSSEC, SPF & DKIM alignment and DMARC. These protocols are providing assurance to both senders and recipients regarding the authenticity of the sender and recipient. In other words, it provides assurance that the sender and the recipient are who they ‘say’ they are and offers protection against SPAM, phishing and impersonation.
Monitoring
All Zivver services are continuously monitored to ensure that abnormalities are quickly investigated and can be acted upon. Additionally, logging is in place and configuration changes are kept in revision control.
Secure Developing
Our goal is to keep our software free of security bugs. Our developers work according to best practices and security principles, such as the OWASP top 10, which are always top of mind and applied. All development work follows strict checks and balances and new software features are fully tested by Q&A. For technical staff knowledge of information security is mandatory and the knowledge is kept up to date by continuous training.
Security Testing
Multiple times per year we let our product and infrastructure be tested by independent, world class, researchers. Not only from the outside (black box testing), but also from the inside by giving the researchers accounts (grey box testing) and even the full source code of Zivver (white box testing). Currently we collaborate on this topic with the Hacking as a Service team of Deloitte. Every subsequent test Deloitte challenges us if we have taken appropriate measures to mitigate risks they have found in our product or infrastructure.
Additionally, we have many security researchers that enthusiastically participate in our active vulnerability disclosure program that is hosted through HackerOne. We motivate these researchers from all around the world to identify and report any potential security issues or other security weaknesses in our product and platform. This also really challenges us to continuously look for improving the security of our product.
Identity and Access Management
To keep access to the user data secure, Zivver enforces strong authentication for account access. Users can login to their account using their password and an SMS code or time-based one time password (for example using Google Authenticator).
Next to that, managing user accounts and keeping control over user access is made easy through SCIM and the so-called Sync tool, through which accounts in Zivver are automatically kept in sync with accounts in the customer’s Active Directory.
Security is a moving target
Keeping the product secure is one of Zivver's highest priorities. We continually keep an eye on trends in security, new technologies and new legislation to ensure we maintain our high standards. For this purpose, our personnel actively participate in to the latest knowledge programs and relevant courses.
Security in our organisation
At Zivver we want to do our utmost to ensure our entire organisation is as secure as it can get. As an important step, Zivver has already for many years a fully operational Information Security Management System (ISMS) that covers all information security risks and controls. This system includes a standardized ‘plan, do, check, act cycle’ that guarantees continuous improvement.
Zivver is ISO27001:2013 and NEN 7510:2017 certified. The ISO27001 is an internationally well-known standard for information security. The NEN 7510 is a Dutch add-on that is specifically about information security in the healthcare industry.
Additionally, Zivver is SOC 2 compliant and can share a SOC 2 Type 1 report upon request.
Employee Security
All Zivver employees and other personnel are subject to adequate and extensive confidentiality obligations. Zivver also performs background checks before employees start at Zivver, including requiring a Certificate of Conduct issued by the governmental authority of the country in which the new employee is residing or recently has resided. We keep our information security policies and our Information Security Management System documentation up to date. All employees frequently participate in security awareness sessions and training.
Access Management
Zivver employees or suppliers never have access to messages or attachments sent via Zivver by our users. Access to other user and customer data, like the email address and name, is limited on a need-to-know basis. Access is always approved by a member of the leadership team and the Information Security Officer (ISO). The access is reviewed on a monthly basis.
Assets and Office Security
The workstations are kept secure by timely installing security updates and keeping the anti-virus software up to date. In addition, we keep a list of software that is allowed to be used by Zivver employees, which have gone through a strict vetting process and ultimately approved by the ISO for security and compliance aspects.
The security of our internal IT has been audited and we have received the Cyber Essentials Plus Certificate.
The office is well protected by several measures, such as an alarm and access control and a fully functioning front desk security. Additionally, Zivver has implemented a clear screen policy, a clean desk policy and a ‘always lock your computer if you leave your desk policy’.
Incident Response
Zivver has standard and tested security incident response procedures. The procedures make sure we take the required steps. For every incident we identify the root cause and possible improvement actions, such as changing/updating policies and procedures or adding additional checks.
Additionally, Zivver annually tests its business continuity plans.