Security & Architecture

Our approach to security

Security is a top priority for DocuVision because we care about it and it is also of great importance to you. DocuVision is committed to securing your data.
DocuVision uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.

Security is directed by DocuVision’s President and Chief Product Officer and maintained by DocuVision’s Chief Technology Officer.

Architecture

Executive summary

DocuVision currently uses the following cloud services (the “Cloud Services”) Amazon Web Services (AWS), Google Cloud Platform (GCP) and/or Microsoft Azure (Azure) to process data with ephemeral storage in AWS/GCP/Azure and may make use of external API calls as described below.

DocuVision employees do not have physical access to any of the GCP, AWS or Azure data centers, servers, network equipment, or storage.

Processing

DocuVision processes data in the Cloud Services, using a combination of serverless processing, using instances and/or storing in the Cloud Services as further described under the section ‘‘Storage, Retention and Disposal’ below.

Third party API calls

DocuVision makes external API calls to optimize for the best results.

For OCR and entity detection: APIs might be called from Microsoft, Google, IBM, AWS.

Cloud Services for processing and API calls

There is documentation about the Cloud Services and API services that DocuVision uses and DocuVision understands from such documentation below that none of your data would be stored by these services beyond the completion of processing of the data by such cloud provider.

Security approaches of the Cloud Services

Each of the Cloud Services uses a combination of the approaches to keep their infrastructure secure, including the following:

  • Physical access control
  • Personnel security
  • Logical access control
  • Penetration testing
  • Third party audits
  • Intrusion detection and prevention

You can find further information in the documentation from the Cloud Services:

GCP

https://cloud.google.com/terms/data-processing-terms
https://cloud.google.com/terms/service-terms
https://cloud.google.com/vision/docs/data-usage
https://cloud.google.com/terms/data-processing-terms/partner/

Azure

https://azure.microsoft.com/en-us/overview/trusted-cloud/
chrome-extension://oemmndcbldboiebfnladdacbdfmadadm/https://download.microsoft.com/download/1/6/0/160216AA-8445-480B-B60F-5C8EC8067FCA/WindowsAzure-SecurityPrivacyCompliance.pdf

AWS

https://aws.amazon.com/security/

IBM

https://cloud.ibm.com/apidocs/natural-language-understanding#data-handling

Security

Data encryption in transit

All data transmitted between DocuVision clients and the DocuVision service is done so using strong encryption protocols. DocuVision supports the latest recommended secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, whenever supported by the clients.

Data encrypted at rest

Data at rest in DocuVision’s production network is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within DocuVision’s systems—relational databases, file stores, database backups, etc. All encryption keys are stored in a secure server on a segregated network with very limited access. DouVision has implemented appropriate safeguards to protect the creation, storage, retrieval, and destruction of secrets such as encryption keys and service account credentials.

Each DocuVision customer’s data is hosted in our shared infrastructure and logically or physically separated from other customers’ data. We use a combination of storage technologies to ensure customer data is protected from hardware failures and returns quickly when requested. The DocuVision service is hosted in data centers maintained by industry-leading service providers, offering state-of-the-art physical protection for the servers and infrastructure that comprise the DocuVision operating environment.

Network Security and server hardening

DocuVision divides its systems into separate networks to better protect sensitive data. Systems supporting testing and development activities are hosted in a separate network from systems supporting DocuVision’s production infrastructure. All servers within our production fleet are hardened (e.g. disabling unnecessary ports, removing default passwords, etc.) and have a base configuration image applied to ensure consistency across the environment. Network access to DocuVision’s production environment from open, public networks (the Internet) is restricted, with only a small number of production servers accessible from the Internet. Only those network protocols essential for delivery of DocuVision’s service to its users are open at our perimeter and there are mitigations against distributed denial of service (DDoS) attacks deployed at the network perimeter. Additionally, for host-based intrusion detection and prevention activities, DocuVision logs, monitors, and audits all system calls and has alerting in place for system calls that indicate a potential intrusion.

Access Control

Provisioning

To minimize the risk of data exposure, DocuVision adheres to the principles of least privilege and role-based permissions when provisioning access—workers are only authorized to access data that they reasonably must handle in order to fulfill their current job responsibilities. All production access is reviewed at least quarterly.

Authentication

To further reduce the risk of unauthorized access to data, DocuVision employs multi-factor authentication for all access to systems with highly classified data, including our production environment, which houses our customer data. Where possible and appropriate, DocuVision uses private keys for authentication, in addition to the previously mentioned multi-factor authentication on a separate device.

Password Management

DocuVision requires personnel to use an approved password manager. Password managers generate, store, and enter unique and complex passwords to avoid password reuse, phishing, and other password-related risks.

System Monitoring, Logging, and Alerting

DocuVision monitors servers to retain and analyze a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands, and system calls on all servers in DocuVision’s production network are logged and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. All production logs are stored in a separate network that is restricted to only the relevant security personnel.

Storage, data retention and disposal

Storage is required whilst the documents are being worked on by the people at your organization, so changes can be recorded and the workflow can happen, and this will take place in one of the Cloud Services, as applicable. For any option of Cloud Service, DocuVision can write the final (i.e., after all review is completed) processed/redacted copies locally to your internal systems if your team can provide APIs. Otherwise DocuVision can store them via SSO with ADFS as requested in the relevant Cloud Service. In other words, the files will be stored at a place you specify after review is completed by people at your organization.

Customer data is removed within 48 hours upon the end of the processing and writing back to your system or location indicated by you or upon expiration of retention as set out in the service agreement between DocuVision and you. DocuVision hard deletes all information from currently running production systems (excluding non-identifiable characteristics of data which is used to improve our service) and backups are destroyed within 14 days. DocuVision’s hosting providers are responsible for ensuring removal of data from disks is performed in a responsible manner before they are repurposed.