Data stays inside Europe
- For the storage of data, ZIVVER makes use of ISO27001 certified data centres
- These data centres are physically located in the EEA (European Economic Area)
- Protection of the data is contractually arranged in Data Protection Agreements and Model Clauses
Safe connection between sender, ZIVVER and recipient
- ZIVVER communicates with both the sender and the recipient via an SSL connection.
- An SSL connection is a coded connection between the server (ZIVVER) and visitor (sender and recipient). An SSL connection is easily recognised by the url (https://domein.com). A good browser indicates that the line is secured by means of a small lock behind the URL or a green bar.
- SSL is more or less made obligatory by the Data Protection Act. After all, people have to be able to send information via a secured connection and SSL is the only one that is widely used.
- SSL certificates are issued by various companies. ZIVVER has a certificate from Comodo.
Full encryption of stored data
- The data you send with ZIVVER is encrypted and stored. We code data by means of proven technology. ZIVVER ensures that only the sender and recipient have access to this data.
- Technical specifications:ZIVVER never saves passwords as plain text and does not have access to the decryption keys of ‘data at rest’. Passwords are hashed with the Bcrypt algorithm for control when logging in.
- The user’s password is the decryption key. The key is deduced from the password with PBKDF2 with HMAC-SHA256. Files are encrypted with the AES 128-GCM algorithm. This algorithm guards both the confidentiality and the integrity of the file.
- Each file gets a unique encryption key and a unique initialisation vector. The keys of the files are in turn encrypted with the RSA2048 algorithm. The cryptographic safe source of random data for making the encryption keys is CSPRNG.
Second factor authentication via text or authenticator app
- Two factor authentication (TFA) is an extra step during the login process. By making use of TFA, the communication is better secured against those with bad intentions, such as hackers. If TFA has been switched on, the hacker will also need something else, such as a mobile phone, token or fingerprint, and that is tricky to obtain while sitting behind a desk. When sending personal data, the use of TFA is particularly recommended.
- ZIVVER uses TFA both for securing accounts of users and for securing messages. Thanks to a unique protocol, a logged-in ZIVVER user does not have to enter a second factor per message. Moreover, ZIVVER users can trust their own computer, telephone or tablet for 30 days. During that period, it is not necessary to re-enter the codes. Safe, yet easy!
- ZIVVER offers two possibilities for TFA via mobile phone: a time-based token via an authenticator app or a text message code. Only the smartphone linked to the user account can give the right code to gain access. With a text message code, ZIVVER sends a short access code to the provided mobile phone number.
- If TFA via a mobile phone is not possible or desirable, ZIVVER offers TFA by means of an extra password. This password only offers extra security when the sender and recipient share this password via a different channel than the recipient’s email address, for instance by giving a code on paper or by telephone.
Backup codes against data loss in case of forgotten passwords
- Protection of communication shouldn’t lead to the loss of data. Yet, loss of your password means that your ZIVVER-account is no longer available. Even ZIVVER can’t decrypt the information without the password. After all, ZIVVER is also unable to decrypt data without the password.
- Administrators have the possibility to recover an account after losing the password.
- Users can download backup codes in case they no longer have access to their 2nd factor. For instance, when you’ve left your mobile phone at home. Administrators can also provide access to these backup codes.
- Safe storage of the backup codes is essential to guarantee safety. Within organisations, permission / cooperation of the security officer is required for the use of backup codes.
Safety comes first
- Privacy verified: ZIVVER has been tested on compliance with the best practices in the field of privacy legislation and regulations and has been issued the Privacy Verified certificate for this. We meet the most stringent international privacy rules!
- ZIVVER has an ISO27001:2013 and NEN7510:2011 certified Information Security Management System (ISMS)
- Madison Gurkha has tested ZIVVER’s source code and deemed it safe. This report can be viewed upon request.
- Deloitte periodically tests the safety of the ZIVVER applications with its service “Hacking as a Service – Gold level”. In doing so, ZIVVER shows that security is a continuous process and gets periodic assistance to constantly improve safety.
- ZIVVER will encourage ‘friendly hackers’ to report possible vulnerabilities in its products and services.
- Important elements of our methods that guarantee your safety:
- Internal privacy & security officer
- External auditors
- Two-factor authentication for sensitive components
- Employee access to data on the basis of the need-to-know-principle
- 4-eyes principle for critical company components
- Detailed logging & monitoring (internal and external)
- Outsourcing policy with confidentiality statement and a processing statement
- Employees have a certificate of conduct
- Confidentiality is recorded in the employment agreement for all employees.
ZIVVER is verifiably safe