Scanii Security Overview

At Uva Software, LLC (the company behind Scanii) we strive to apply the latest physical and logical security methodologies to protect our customer data at rest and in transit - this is why you should trust us.

Access control and organizational security


All of our employees and contractors sign confidentiality agreements before gaining access to our code and privileged/production access is only given to those that need it in order to do their jobs.

We require all employees to follow commons security practices:

All production operations happen using AWS and we require two factor authentication for console access.

Penetration testing

No software is perfect and today's applications rely on an ever growing number of third party open source libraries. To help quickly react and address software vulnerability problems we have a simple and effective bounty system in place that, over the years, has paid thousands of dollars for responsible vulnerability disclosures. You can find more about it here.

Intrusion Detection

We deploy a network-based automated intrusion detection system (IDS), AWS GuardDuty, in all regions we operate. This system continually analyzes our CloudTrail, VPC Flow as well as DNS request logs and triggers an alert if suspicious activity is identified.

Audit, Security Policies and Standards

We submit a self assessment for PCI compliance yearly (SAQ) and a copy can be provided upon request after a NDA is signed. As a company we do not currently plan on performing a SOC audit of our own but we rely solely upon Amazon Web Services for our data center needs and they have an extraordinarily strong compliance policy - we are also able to share their SOC and ISO reports upon request.

Data sovereignty, protection and privacy

Data Location

We built our product to have a strong data sovereignty stance from the beginning by deploying region specific versions of our software across datacenters in the US, Europe and Australia. Content sent to a specific processing region will never traverse to another.

We never permanently store your files. Your data is only in our servers for the extent of time necessary to process and fingerprint it (usually milliseconds), after that we store metadata about its content to help us improve the overall engine accuracy. All stored metadata is inferred and will never include any user provided information such as file name or type.

For content identification engines that require image processing, we may submit your content to other Amazon services within the same processing region. These services will also never permanently store your files or utilize it for their own training.

Encryption in transit and at rest

In transit (that is, as your files are being transferred via the internet) all traffic is encrypted using state of the art TLS encryption with certificates provided by Amazon’s Certificate Manager. At rest (that is once your files have reached our content processing servers) your files are buffered to encrypted disks using industry standard AES-256 for processing.

We strive for A+ TLS settings grade by ssllabs and you can review our scores for yourself here:

Other data points, such as your email and information about your API keys are all stored in a encrypted RDS database or encrypted S3 bucket - both of these also use the AES-256 algorithm.

All account passwords are hashed using NIST recommended PBKDF2.

Physical Security

We utilize state of the art datacenters from Amazon Web Services in their us-east, eu-west and ap-southeast-2 regions utilizing the latest in physical and logical security. You can find out more about it here

Law Enforcement

As stated in our privacy policy, we may need to disclose Personal Data in response to lawful requests by public authorities, for law enforcement or national security reasons, or when such action is necessary to comply with a judicial proceeding or court order, or when otherwise required by law.

Data Deletion

All data used to power our web application is backed up for 30 days. As stated in our Privacy Policy, we also give customers the ability to have their data permanently anonymized ( After performing this operation no content stored by us will be able to be traced back to the individual user after 31 days (once our backups and logs roll over).


At Uva Software, LLC we understand that holding on to your data, even if for a split second, comes with a lot of responsibility and it could make or break our company. That’s why, since 2010, we have been investing in people and technology to earn your business and provide the best quality content identification service so you can trust your user generated content.

If you still have questions, please file a support ticket and we’ll be happy to answer them!

Last updated on 07/16/2016.