Security

Last Updated: 1 December 2018

Security is at the forefront of everything we do at Aerofiler. Customers use Aerofiler to store and process their most sensitive business documents and, in doing so, entrust us with keeping them safe and secure.

We think about enterprise-grade security, privacy, and reliability starting from when we design our product – not as an afterthought. We continually assess and improve organizational security measures that are designed to ensure data is also protected from the human element – both from accidental actions and malicious actors.

Architecture

The Aerofiler application is hosted on Amazon Web Services (AWS), which is designed to provide an uptime exceeding 99.99%. Customer documents are stored within AWS infrastructure on Amazon S3, and metadata is stored on MongoDB’s Atlas service. Both are encrypted at rest using AES 256-bit encryption.

All data in transit between various components of the Aerofiler application is secured with TLS 1.2 encryption.

All communication between clients (whether desktop or mobile) and Aerofiler require HTTPS connections.

Aerofiler uses AWS data centers located in multiple locations and we are able to work with customers who have requirements regarding where their data must be geographically located.

Application

Aerofiler is designed to reduce security risk within your organization:

Security’s on us. We focus on maintaining the security and availability of your data so your IT department doesn’t have to. We handle backups, monitoring uptime, and providing user support.

Limit duplication of sensitive documents via email. People typically share documents via email attachments. Each time such an attachment is sent, replied to, copied, or forwarded – whether internally or externally – a new copy of the document is created and it becomes increasingly difficult to protect, track, and control what happens to that document. Aerofiler helps by letting users send links to important documents, rather than attachments, reducing the unnecessary duplication of documents throughout an organization. This also gives you control over your data because access to such links can be monitored and changed at any time.

Audit logs that you can monitor. Aerofiler features extensive logging of system activity, giving you visibility into actions taken on documents, such as who is viewing, downloading, or editing them.

User-definable permissioning. Aerofiler provides granular control over who can access what in the application. An intuitive interface helps administrators to define and maintain access controls, instead of requiring them to understand complicated Windows ACLs or to contact IT departments for help.

Centralize documents so you know where they are. Over time, important documents get scattered in different places throughout an organization – in different systems, different offices, and different devices – creating “islands” of documents that are difficult to track and impossible to manage in a consistent manner. Aerofiler reduces business risk by making it easy to migrate and consolidate all these documents into one place, whether automatically by integrating with existing systems, or manually by bulk uploads and emails. Our algorithms also detect and prevent duplicates from being filed. And by centralizing where your organization’s documents are, you can also centrally administer them.

More security controls. Aerofiler supports two factor authentication, forced session sign outs, minimum password complexity requirements, the ability to suspend users, and more, giving you more control over your users and your data.

Security Safeguards

ISO 27001 Certification

Aerofiler implements, maintains, and continuously improves its information security management system (ISMS) in accordance with ISO 27001. Aerofiler’s ISMS is audited and certified annually by an independent JAS-ANZ accredited body. ISO 27001 is a widely recognized and internationally accepted set of information security standards which define how organizations should manage and handle information in a secure manner, including by implementing appropriate security controls.

Physical Security

Aerofiler’s information systems and technical infrastructure are hosted within AWS, which provides world-class, SOC-1, SOC-2 and SOC-3 accredited data centers that are also used by the largest companies in the world. Physical security measures at these data centers include 24×7 CCTV monitoring, security guards, visitor logs, and intrusion detection systems.

Access Control

Aerofiler personnel access our technology resources through secure, encrypted connections that require multi-factor authentication. Our production password policy requires complexity , and failed retry lockouts. Aerofiler grants access on a least privilege basis to only those personnel who need it to perform their job. Access is immediately revoked once an employee or contractor finishes working with Aerofiler.

Training and Policies

Aerofiler periodically maintains and updates information security and technology use policies, and personnel are provided with training on such policies at onboarding and on at least an annual basis. We also provide personnel with ongoing training on secure coding practices and job-specific security and privacy practices. Additionally, all personnel are required to sign NDAs with Aerofiler.

Encryption

Customer data is encrypted at rest using enterprise-grade encryption. All personnel devices that access or store customer data also are required to have full hard disk encryption to be enabled.

Customer data is encrypted in transit using TLS protocols.

Software Development

Aerofiler follows OWASP guidelines to protect the application from common attacks. Application source code is stored in a secured, access-controlled environment.

Incident Response and Business Continuity

Aerofiler has a computer information security response program to detect and respond to incidents, and to maintain business continuity. We use technology to continuously monitor production servers, and have plans for responding to any alerts we receive about disruptions in service. If Aerofiler learns of a security breach, we will notify affected users so that they can take appropriate protective steps, and also provide notification according to our legal obligations.

Customer Data Controls

Customer data is owned by customers, and we don’t want to hold it hostage. Customers can use our integrations to backup files uploaded to Aerofiler to their own cloud storage location. If a customer decides to stop using Aerofiler, they can take a copy of their data before they go (both documents and document metadata), and we will delete any customer data that can be tied back to that customer from our systems within 30 days.