We provide robust security and privacy measures to protect your data across all our services, including Sign.Plus, Fax.Plus, and Scan.Plus.
We implement advanced encryption, rigorous access controls, and real-time threat detection to safeguard your data across our services. Our security measures adhere to international standards, ensuring robust protection and privacy. We continuously evolve our defenses to counter emerging cyber threats, keeping your information secure.
All stored files at rest, including signed and faxed documents, are encrypted using 256-bit Advanced Encryption Standard (AES). Each user benefits from unique encryption keys to ensure their data's security.
For data transmitted between our apps (whether it's mobile, API, or web) and our servers, we use Transport Layer Security (TLS), a modern and improved version of the previous encryption protocol known as Secure Sockets Layer (SSL). This creates a secure tunnel fortified by 128-bit or higher Advanced Encryption Standard (AES) encryption.
We proudly support TLS 1.3, which not only enhances speed but also bolsters security beyond TLS 1.2. It adds an extra layer of privacy, ensuring that only the two endpoints can decrypt the traffic, thus guaranteeing the utmost confidentiality.
Our security team conducts routine automated and manual security assessments to detect and rectify potential vulnerabilities and bugs in our web and mobile applications. Additionally, we undergo annual security testing via third-party audits, enabling us to promptly address any identified issues across our web, API, and mobile applications. To reinforce our commitment to security, we actively participate in security platforms like HackerOne, further minimizing the likelihood of security incidents.
To enhance stability, performance, and security, our system architecture is built upon an n-tier framework that incorporates multiple layers of protection. These protective layers encompass encryption, network configuration, and application-level controls, all thoughtfully distributed across a scalable and secure infrastructure.
We utilize a Content Delivery Network (CDN) with a network capacity 15x greater than the largest DDoS attack ever recorded. This robust infrastructure is our frontline defense, ensuring the protection of our service against potential DDoS attacks.
Our key management infrastructure, responsible for encrypting files at rest (both signed and faxed files), is meticulously designed with robust operational, technical, and procedural security controls. Access to keys is highly restricted, ensuring the utmost security.
Aside from complex network level firewalls, we use enterprise-class web application firewalls (WAF) to protect our service from vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery.
All faxed and signed files find their exclusive home within Swiss datacenters, meticulously chosen for their adherence to the most stringent security standards, such as ISO 27001. These datacenters are also proud members of the Cloud Security Alliance (CSA). Interestingly, one of our datacenters is securely nestled deep within the Swiss Alps, housed within a former military anti-atomic command and control center near Zurich. The other resides in Geneva, strategically positioned near European financial hubs and global markets.
To accommodate specific data privacy and residency requirements based on regions and countries, our customers have the flexibility to move their fully encrypted files between datacenters situated in various global locations. Explore more about Data Residency to understand how this works.
The certified Information Security Management System (ISMS) at Alohi is designed to ensure the security of our customers' data. It encompasses all interactions with Alohi's stakeholders, encompassing the individuals, processes, and tools essential for the development, support, and maintenance of our services and products.
Our SOC 2 report provides a comprehensive, control-focused assurance, addressing the Trust Service Criteria for Security (TSP Section 100). It offers an extensive overview of Alohi's procedures and the multiple safeguards implemented to safeguard your data. EY CertifyPoint, a globally renowned and reputable entity, conducted this assessment, certifying the effective design and operation of our controls.
We respect the importance of maintaining the utmost privacy and security of patient healthcare data. To achieve this, we have meticulously scrutinized every administrative, physical, and technical safeguard requirement, ensuring full compliance with all HIPAA specifications. This comprehensive approach safeguards our customers' data, including individuals' protected health information (PHI) and electronically protected health information (ePHI).
We uphold compliance with the latest version of the PCI DSS to guarantee the safe and secure handling of our customers' payment card information. Our stringent data security standards are in place to ensure the continued safety and security of your credit card details.
In addition to all the security measures we take to ensure the highest level of security and privacy for all our users and their data, we provide the administrators of our Enterprise plans certain security tools and features to have more controls over the protection of their data. Access Logging: Detailed access logs are available both to users and administrators of Enterprise teams. We log every time an account signs in, noting the type of device used and the IP address of the connection.
Block Users: We make it easy to block a user in the event that they’re no longer part of your organization or in any kind of emergency situations or data breach
Business Associate Agreement (BAA): We sign BAA with users of our Enterprise plans who need a BAA in order to comply with the Health Insurance Portability and Accountability Act (HIPAA)
*Advanced Security Controls are only available for Sign.Plus and Fax.Plus Enterprise plans.
All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations. As Alohi is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.
Our number one priority is the privacy and security of our customers’ data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the security team is committed to working with the community to verify, reproduce and respond to legitimate reports. If you believe you’ve identified a potential security vulnerability, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.
You can submit your report through our HackerOne Vulnerability Disclosure Program.