We earn the trust of our customers by making data security our top priority.
Privacy and data-protection you can count on.
Ziflow has completed a third-party SOC 2 Type II audit. Our continued SOC 2 certification ensures our organizational and technology controls are independently audited at least annually.
Ziflow is a member of the Privacy Shield framework. Privacy Shield is an agreement between the EU and US that allows for the transfer of personal data from the EU to the US.
Ziflow is GDPR compliant. GDPR expands the privacy rights granted to European individuals and requires certain companies that process the personal data of European individuals to comply with a new set of regulations.
Ziflow is hosted with Amazon Web Services (AWS), providing security features built-in. Our team uses AWS best practices to further harden our systems and processes. Amazon employs a robust physical security program with multiple certifications, including SOC 1 & 2.
Ziflow partners with Crowdstrike which provides a comprehensive and automated malware detection service for files uploaded to the service by users, ensuring that foreign files uploaded to the service are not infected. In addition, we have a blocklist containing a list of forbidden file extensions. The file extension blocklist contains file types that may be considered dangerous, such as executables. By blocking these file types, we reduce the risk of malware infection significantly.
Network Intrusion Detection System (NIDS) sensors are used in tandem with native AWS security services, which are enabled for all production assets.
Our platform is hosted across multiple availability zones. We run a separate disaster recovery instance of Ziflow which is always at the ready.
Extensive performance and availability monitoring allows us to keep a close eye on system health and mitigate unforeseen issues early on.
Uptime is as mission critical to us as it is to your business. Our internal uptime goal is 99.99%, and our 2022 uptime record is 100%.
Our Enterprise edition gives you all the security needed to deploy at scale.
Easily authenticate and manage your enterprise users at scale.
Maintain activity logs for any period time or export projects for your records.
Administrators gain full control over their team, content and systems permissions.
We never store passwords in clear text - they are always hashed and salted securely using bcrypt. Bcrypt is a proven algorithm and is considered one of the best choices for password storage.
Data at rest is encrypted using AES-256. Encryption keys are stored using AWS Key Management Service (KMS). An annually rotated customer master key (CMK) is currently used to encrypt all customer data submitted to the Ziflow service and processed on their behalf.
All network communication uses TLS with at least 128-bit AES encryption. The connection uses TLS v1.2, and it is encrypted and authenticated using AES_128_GCM and uses ECDHE_RSA as the key exchange mechanism. Qualys SSL Labs scored Ziflow’s TLS configuration A+ on their SSL Server test and we regularly monitor this score.
Security is integral to Ziflow’s software development life cycle (SDLC). As part of that process, Ziflow incorporates threat modeling, attack surface analysis, security architecture analysis and continuous security training for its teams.
Encryption at rest
The Open Web Application Security Project (OWASP) is an online community that creates freely available articles, methodologies, documentation, tools, and technologies in the fields of web application security. It was started in 2001 as a nonprofit organization and since its foundation has contributed a wide range of publications. Ziflow has embraced the OWASP top 10 recommendations. Ziflow performs internal and third-party penetration testing on its products with an emphasis on OWASP top 10 security risks, and leverages code scanning to ensure Ziflow products are secure from known vulnerabilities.
Vulnerabilities are identified and classified based on our evaluation of their risk & impact on the confidentiality, integrity, and availability of the service and of customer data. The engineering team remediates identified vulnerabilities within predefined targets based on our Patch & Change Management Policies.
Application penetration testing is performed at least quarterly by an independent third party, which include manual and automatic testing methods. In addition, our team regularly performs security audits and penetration testing for various features which require deep understanding of our internal security mechanisms and architecture. As part of our external and internal penetration testing, network scanning tools are also used against our production servers.