Security Overview

At Uva Software, LLC (the company behind Scanii.com), we strive to apply the latest physical and logical security methodologies to protect our customers' data at rest and in transit. That is why we believe our customers should trust us.  

Access control and organizational security

People

All of our employees and contractors sign confidentiality agreements before gaining access to our code and privileged/production access is only given to those that need it in order to do their jobs.

We require all employees to follow common security practices:

  • Disk encryption for all company provided IT equipment 
  • Utilize unique strong passwords securely managed by a password manager 
  • Enable two factor authentication for all sites that support it 
  • All endpoints are managed via EDR

All production operations happen using Amazon Web Services and we require two factor authentication for console and remote access. 

Penetration testing

No software is perfect and today’s applications rely on an ever growing number of third party open source libraries. To help quickly react and address software vulnerability problems we have a simple and effective bounty system in place that, over the years, has paid thousands of dollars for responsible vulnerability disclosures. You can find more about it  here .

We also submit to a yearly penetration test done by a reputable third-party security company with a report available upon request. 

Intrusion Detection

  • We deploy a network-based automated intrusion detection system (IDS), in all regions we operate. This system continually analyzes our CloudTrail, VPC Flow as well as DNS request logs and triggers an alert if suspicious activity is identified.
  • All endpoints are fully managed using a detection and response (EDR) tool 

Audit, Security Policies and Standards

  • We submit a self-assessment for PCI compliance yearly (SAQ) and a copy can be provided upon request after an NDA is signed. 
  • As a company we do not currently submit to a SOC audit of our own, but we rely upon Amazon Web Services for our data center needs and they have an extraordinarily strong compliance policy - we are also able to share their SOC and ISO reports upon request. 
  • Policies and terms can be found here: https://docs.scanii.com/category/140-terms-and-policies

Patching and dependency management

We use tools that ensure our servers always run software free of known vulnerabilities and can quickly patch our fleet if a new vulnerability is disclosed. For third-party libraries our own code depends on, we utilize "pull request" based automated tooling integrated into our development process.

Software Development Lifecycle

Software is inherently challenging, so we strive to use the latest methods and tools to deliver the most reliable, secure, and capable product to our customers. This is how we create software today:

  1. Features and bugs start as GitHub issues against a specific source code project. Severity and other metadata are assigned to the issue via labels.
  2. Our teams prioritize the features that require immediate engineering attention.
  3. Development begins against a specific issue, culminating in a pull request for review, automated testing, and eventual upstream merge. Once the pull request is merged, the issue ticket is closed.
  4. Once merged, our CI/CD service builds, tests, and deploys the changes to production using Amazon tooling on a per-region basis (for multi-region services).
  5. In the event of a regression, the deploy will be rolled back to the previous version.

Intellectual property protection

Protecting our rights

Like most modern businesses, we rely upon a large amount of open source software to deliver our services to customers. To protect against the accidental introduction of a  viral license (such as GPL ) in our codebase we utilize an automatic license checker integrated into our source code build infrastructure. Software acquired via other means is manually tracked in a separate licenses.yml file included in our source code for manual auditing.

Protecting the rights of others

Employees must comply with all applicable laws regarding handling and modifying IP owned by others and we claim no ownership of content submitted for analysis by our service. 

Data sovereignty, protection and privacy

Data Location

We built our product to have a strong data sovereignty stance from the beginning by deploying region specific versions of our software across data centers in the US, Europe and Australia. Content sent to a specific processing region will never traverse to another

We never permanently store customer files. Your data is only in our servers for the extent of time necessary to process and fingerprint it (usually seconds), after that we store metadata about its content to help us improve the overall engine accuracy, this metadata is inferred and will never include any user provided information such as file name or type.

For content identification engines that require image processing, we may submit your content to other Amazon services within the same processing region. These services will also never permanently store your files or utilize it for their own training.

Encryption in transit and at rest

In transit (that is, as your files are being transferred via the internet) all traffic is encrypted using state of the art TLS encryption (v1.2 and v1.3) with certificates provided by  Amazon’s Certificate Manager

At rest (that is once your files have reached our content processing servers) your files are buffered to encrypted disks using industry standard AES-256 for processing. 

We strive for A+ TLS settings grade by ssllabs and you can review our scores for yourself here: 

Other data points, such as your email and information about your API keys are all stored in an encrypted RDS database or encrypted S3 bucket - both also use the AES-256 algorithm. 

All account passwords are hashed using NIST recommended PBKDF2.

Physical Security

We utilize state of the art datacenters from Amazon Web Services in multiple regions utilizing the latest in physical and logical security. You can find out more about it here  https://aws.amazon.com/compliance/data-center/controls/

Law Enforcement

As stated in our privacy policy, we may need to disclose Personal Data in response to lawful requests by public authorities, for law enforcement or national security reasons, or when such action is necessary to comply with a judicial proceeding or court order, or when otherwise required by law.

Backup and disaster recovery

We ensure that all production systems that store state related to providing our services to customers comply with the following backup strategy:

  • Daily backups for 30 days
  • Point in time restore capability for all databases
  • All backups must be remotely stored

A business continuity plan ensures that our company could recover from a catastrophic incident in 48 (RTO) hours or less by re-deploying our services to another Amazon Web Services region.

Conclusion

At Uva Software, LLC, we recognize the importance of handling customer data with utmost care and responsibility. We fully understand that even a momentary possession of such data can significantly impact the success and reputation of our company. This is precisely why, since 2007, we have made substantial investments in both personnel and technology, with the primary goal of earning your trust and delivering the highest quality content identification service. Your confidence in our ability to safeguard your user-generated content is of paramount importance to us. 

Did this answer your question? Thanks for the feedback There was a problem submitting your feedback. Please try again later.

Still need help? Contact Us Contact Us