Security Overview

v19.10

At Uva Software, LLC (the company behind Scanii.com) we strive to apply the latest physical and logical security methodologies to protect our customer data at rest and in transit - this is why customers should trust us.

Access control and organizational security

People

All of our employees and contractors sign confidentiality agreements before gaining access to our code and privileged/production access is only given to those that need it in order to do their jobs.
We require all employees to follow common security practices:

All production operations happen using Amazon Web Services and we require two factor authentication for console and remote access.

Penetration testing

No software is perfect and today’s applications rely on an ever growing number of third party open source libraries. To help quickly react and address software vulnerability problems we have a simple and effective bounty system in place that, over the years, has paid thousands of dollars for responsible vulnerability disclosures. You can find more about it here .
We also submit to a yearly penetration test done by a reputable third-party security company with report available upon request.

Intrusion Detection

We deploy a network-based automated intrusion detection system (IDS), AWS GuardDuty, in all regions we operate. This system continually analyzes our CloudTrail, VPC Flow as well as DNS request logs and triggers an alert if suspicious activity is identified.

Audit, Security Policies and Standards

We submit a self assessment for PCI compliance yearly (SAQ) and a copy can be provided upon request after an NDA is signed. As a company we do not currently plan on performing a SOC audit of our own but we rely solely upon Amazon Web Services for our data center needs and they have an extraordinarily strong compliance policy - we are also able to share their SOC and ISO reports upon request.

Software Development Lifecycle

Software is inherently hard hence we strive to use the latest in methods and tools to deliver the most reliable, secure and capable product to our customers. Today, this is how we create software:
1. Features and bugs start as Github issues against a specific source code project. Severity and other metadata is assigned to the issue via labels.
2. Engineering and Product prioritize the features that should receive immediate engineering time
3. Development starts against a specific issue culminating with a pull request for review, automated testing and eventual upstream merge. Once the pull request is merged the issue ticket is closed
4. Once merged our CI/CD service (CircleCi) will build, test and deploy the changes to production using Amazon tooling on a per reason basis (for multi region services)
5. In case of a regression, the deploy will be rolled back to the previous version

Intellectual property protection

Protecting our rights

Like most modern businesses, we rely upon a large amount of open source software to deliver our services to customers. To protect against the accidental introduction of a viral license (such as GPL ) in our codebase we utilize an automatic license checker integrated into our source code build infrastructure. Software acquired via other means is manually tracked in a separate licenses.yml file include in our source code for manual auditing.

Protecting the rights of others

Employees must comply with all applicable laws with regard to handling and modifying IP owned by others and we claim no ownership of content submitted for analysis by our service.

Data sovereignty, protection and privacy

Data Location

We built our product to have a strong data sovereignty stance from the beginning by deploying region specific versions of our software across data centers in the US, Europe and Australia. Content sent to a specific processing region will never traverse to another.

We never permanently store customer files. Your data is only in our servers for the extent of time necessary to process and fingerprint it (usually seconds), after that we store metadata about its content to help us improve the overall engine accuracy. All stored metadata is inferred and will never include any user provided information such as file name or type.
For content identification engines that require image processing, we may submit your content to other Amazon services within the same processing region. These services will also never permanently store your files or utilize it for their own training.

Encryption in transit and at rest

In transit (that is, as your files are being transferred via the internet) all traffic is encrypted using state of the art TLS encryption with certificates provided by Amazon’s Certificate Manager .
At rest (that is once your files have reached our content processing servers) your files are buffered to encrypted disks using industry standard AES-256 for processing.
We strive for A+ TLS settings grade by ssllabs and you can review our scores for yourself here:
* https://www.ssllabs.com/ssltest/analyze.html?d=scanii.com
* https://www.ssllabs.com/ssltest/analyze.html?d=api.scanii.com

Other data points, such as your email and information about your API keys are all stored in an encrypted RDS database or encrypted S3 bucket - both of these also use the AES-256 algorithm.
All account passwords are hashed using NIST recommended PBKDF2.

Physical Security

We utilize state of the art datacenters from Amazon Web Services in their us-east, eu-west and ap-southeast-2 regions utilizing the latest in physical and logical security. You can find out more about it here https://aws.amazon.com/compliance/data-center/controls/ .

Law Enforcement

As stated in our privacy policy, we may need to disclose Personal Data in response to lawful requests by public authorities, for law enforcement or national security reasons, or when such action is necessary to comply with a judicial proceeding or court order, or when otherwise required by law.

Data Deletion

All data used to power our web application is backed up for 30 days. As stated in our Privacy Policy, we also give customers the ability to have their data permanently anonymized ( https://scanii.com/user/preferences/privacy ). After performing this operation no content stored by us will be able to be traced back to the individual user after 31 days (once our backups and logs roll over).

Backup and disaster recovery

We ensure that all production systems that store state related to providing our services to customers comply with the following backup strategy:
* Daily backups for 30 days
* Point in time restore capability for all databases
* All backups must be remotely stored

A business continuity plan ensures that our company could recover from a catastrophic incident in 24 hours or less by re-deploying our services to another Amazon Web Services region.

Conclusion

At Uva Software, LLC we understand that holding on to customer data, even if for a split second, comes with a lot of responsibility and it could make or break our company. That’s why, since 2007, we have been investing in people and technology to earn your business and provide the best quality content identification service so you can trust your user generated content.

Last updated on 10/21/2019.