At Uva Software, LLC (the company behind Scanii.com), we strive to apply the latest physical and logical security methodologies to protect our customers' data at rest and in transit. That is why we believe our customers should trust us.
Access control and organizational security
All of our employees and contractors sign confidentiality agreements before gaining access to our code and privileged/production access is only given to those that need it in order to do their jobs.
We require all employees to follow common security practices:
- Disk encryption for all company provided IT equipment
- Utilize unique strong passwords securely managed by a password manager
- Enable two factor authentication for all sites that support it
- All endpoints are managed via EDR
All production operations happen using Amazon Web Services and we require two factor authentication for console and remote access.
No software is perfect and today’s applications rely on an ever growing number of third party open source libraries. To help quickly react and address software vulnerability problems we have a simple and effective bounty system in place that, over the years, has paid thousands of dollars for responsible vulnerability disclosures. You can find more about it here .
We also submit to a yearly penetration test done by a reputable third-party security company with a report available upon request.
- We deploy a network-based automated intrusion detection system (IDS), in all regions we operate. This system continually analyzes our CloudTrail, VPC Flow as well as DNS request logs and triggers an alert if suspicious activity is identified.
- All endpoints are fully managed using a detection and response (EDR) tool
Audit, Security Policies and Standards
- We submit a self-assessment for PCI compliance yearly (SAQ) and a copy can be provided upon request after an NDA is signed.
- As a company we do not currently submit to a SOC audit of our own, but we rely upon Amazon Web Services for our data center needs and they have an extraordinarily strong compliance policy - we are also able to share their SOC and ISO reports upon request.
- Policies and terms can be found here: https://docs.scanii.com/category/140-terms-and-policies
Patching and dependency management
We use tools that ensure our servers always run software free of known vulnerabilities and can quickly patch our fleet if a new vulnerability is disclosed. For third-party libraries our own code depends on, we utilize "pull request" based automated tooling integrated into our development process.
Software Development Lifecycle
Software is inherently challenging, so we strive to use the latest methods and tools to deliver the most reliable, secure, and capable product to our customers. This is how we create software today:
- Features and bugs start as GitHub issues against a specific source code project. Severity and other metadata are assigned to the issue via labels.
- Our teams prioritize the features that require immediate engineering attention.
- Development begins against a specific issue, culminating in a pull request for review, automated testing, and eventual upstream merge. Once the pull request is merged, the issue ticket is closed.
- Once merged, our CI/CD service builds, tests, and deploys the changes to production using Amazon tooling on a per-region basis (for multi-region services).
- In the event of a regression, the deploy will be rolled back to the previous version.
Intellectual property protection
Protecting our rights
Like most modern businesses, we rely upon a large amount of open source software to deliver our services to customers. To protect against the accidental introduction of a viral license (such as GPL ) in our codebase we utilize an automatic license checker integrated into our source code build infrastructure. Software acquired via other means is manually tracked in a separate licenses.yml file included in our source code for manual auditing.
Protecting the rights of others
Employees must comply with all applicable laws regarding handling and modifying IP owned by others and we claim no ownership of content submitted for analysis by our service.
Data sovereignty, protection and privacy
We built our product to have a strong data sovereignty stance from the beginning by deploying region specific versions of our software across data centers in the US, Europe and Australia. Content sent to a specific processing region will never traverse to another.
We never permanently store customer files. Your data is only in our servers for the extent of time necessary to process and fingerprint it (usually seconds), after that we store metadata about its content to help us improve the overall engine accuracy, this metadata is inferred and will never include any user provided information such as file name or type.
For content identification engines that require image processing, we may submit your content to other Amazon services within the same processing region. These services will also never permanently store your files or utilize it for their own training.
Encryption in transit and at rest
In transit (that is, as your files are being transferred via the internet) all traffic is encrypted using state of the art TLS encryption (v1.2 and v1.3) with certificates provided by Amazon’s Certificate Manager .
At rest (that is once your files have reached our content processing servers) your files are buffered to encrypted disks using industry standard AES-256 for processing.
We strive for A+ TLS settings grade by ssllabs and you can review our scores for yourself here:
Other data points, such as your email and information about your API keys are all stored in an encrypted RDS database or encrypted S3 bucket - both also use the AES-256 algorithm.
All account passwords are hashed using NIST recommended PBKDF2.
We utilize state of the art datacenters from Amazon Web Services in multiple regions utilizing the latest in physical and logical security. You can find out more about it here https://aws.amazon.com/compliance/data-center/controls/ .
Backup and disaster recovery
We ensure that all production systems that store state related to providing our services to customers comply with the following backup strategy:
- Daily backups for 30 days
- Point in time restore capability for all databases
- All backups must be remotely stored
A business continuity plan ensures that our company could recover from a catastrophic incident in 48 (RTO) hours or less by re-deploying our services to another Amazon Web Services region.
At Uva Software, LLC, we recognize the importance of handling customer data with utmost care and responsibility. We fully understand that even a momentary possession of such data can significantly impact the success and reputation of our company. This is precisely why, since 2007, we have made substantial investments in both personnel and technology, with the primary goal of earning your trust and delivering the highest quality content identification service. Your confidence in our ability to safeguard your user-generated content is of paramount importance to us.