Security Policy
Maintaining a secure environment to store, process and serve your images is crucial for the delivery of our service to you.
To achieve this, Sirv places security as the underlying foundation of all platform management and development decisions. It’s the foundation behind our 12 years of business success and continued growth beyond 20,000 customers, including many of the worlds largest enterprises.
Our Information Security Policy provides a framework for the management of: Operational security; Physical security and; Application security.
Operational security
Our operational security measures span our entire company and every team member.
Infosec team
Our Infosec Team is responsible for securing Sirv file storage, processing and delivery, as well as the availability of Sirv’s web application. The team carries out regular audits to identify vulnerabilities and is responsible for our Incident Response Plan and Disaster Recovery Plan, to respond to security events. Specific duties include:
- Maintain and support our automated test suite for application development.
- Review all code and infrastructure changes to ensure they follow best practices and security guidelines.
- Build and operate Sirv’s infrastructure, including logs, monitoring and authentication.
- Design, test and review incident response processes.
- Respond to alerts triggered by any security events.
- Coordinate external audits and security certifications.
- Monitor and alert on abnormal activity.
- Coordinate vulnerability testing with external security researchers.
The Infosec team reports to our board of directors, who hold ultimate responsibility of Information Security. Board members are company founders and shareholders, dedicated to the long-term success of Sirv.
Operational security policies
We follow a documented set of security guidelines and supporting procedures, aligned with the ISO 27001 standard. This documentation is regularly reviewed for continuous improvement and to identify new threats and reflect changes to our processes.
We use the NIST Cyber Security Framework to measure our ability to identify, protect, detect, respond and recover from security events.
Data security
We store each account’s data in its own bucket, on its own filesystem. Each request is authenticated and logged. All uploaded data is sliced and written to multiple disks and multiple servers instantly. Files stored on Enterprise plans are also replicated to separate data centers on private, end-to-end encrypted network connections, contributing to Sirv’s 99.999% availability SLA commitment for Enterprise plans. Sirv maintains an internal standard of 99.9% availability for all other plans.
We have an internally built system that monitors and automatically blocks suspicious activity (including vulnerability scanning, failed logins, and a host of other suspicious activity). We also have alerts in place for excessive resource use that escalates to our Backend team for manual investigation.
Our software infrastructure is updated regularly with the latest security patches.
Awareness and training
All staff go through a vetting process, after which they sign a confidentiality agreement and Staff Compliance Agreement. Key staff are subject to background checks.
We operate a Logical Access Control Policy which, amongst other procedures, employs the concept of least privilege, allowing staff authorized access to systems or data only necessary to accomplish assigned tasks.
All relevant team members participate in analyzing and understanding potential risks and threats to the service. We provide an ongoing program of security awareness training designed to keep all members of staff informed and vigilant of security risks. This includes regular comprehension assessments, to measure program effectiveness.
GDPR & Data Protection
Sirv is GDPR-compliant and supports the privacy rights of our customers and their users. For further details, please visit the our Data page.
We never give, rent, or sell access to your data to anyone else, nor do we make use of it ourselves for any purpose other than to provide our services. See our privacy policy for more information.
Incident Response
We have implemented an Incident Response Plan for security events, which can be made available under NDA upon request. To learn from any incidents and improve the response process, Sirv conducts and records an internal Incident Response Report, which can also be shared with customers.
Sirv is built on high-availability architecture. We employ redundancy across all accounts, to ensure normal service when hard drives or servers fail. Enterprise accounts also have a failover service, to automatically switch to a replica data center in the event of a total primary data center outage.
Physical security
We follow our Physical Security Policy to implement physical controls designed to prevent unauthorized access to, or disclosure of, customer data.
Data storage and processing locations
We store and process all master data in data centers in Germany and Finland. In addition, we deliver processed images via our content delivery network (CDN) in 19 worldwide edge locations, for faster content delivery.
Data center controls
Our data centers are monitored 24×7 for all aspects of operational security and performance. They are also equipped sensors for intrusion detection, keycards, and around-the-clock interior and exterior surveillance.
In addition, access is limited to authorized data center personnel; no one can enter the production area without prior clearance and racks can be accessed only via a transponder key. Every data center employee undergoes background security checks.
Data center compliance
Our data center provider operates an information security management system, which is regularly audited and certified by a third party for DIN ISO/IEC 27001 and PCI-DSS compliance. Compliance certification can be made available under NDA upon request.
Application security
The Sirv web application at https://my.sirv.com/ is designed for security based upon our Web Application Security Policy, with development decisions guided by OWASP security principles for software engineering, encryption and security assurance.
Security testing
Our infrastructure is subject to security benchmarking and monitoring so that we maintain or exceed industry security standards. We also use a combination of regular scheduled scans of our application, as well as bug bounty programs, to ensure that every area of our application has undergone rigorous security testing.
Our scheduled vulnerability assessment scans simulate a malicious user, while maintaining integrity and security of the application’s data and its availability. We also leverage the services of an external third party to perform a yearly penetration testing exercise against our platform to make sure we’ve got every angle covered.
Secure code development
Our development team follows industry best practices including OWASP and SANS. We use separate environments and databases for different stages of application development. We do not use production data in our test and development environments.
Data encryption
To protect data, our web application encrypts information in transit by supporting TLS 1.3 and 1.2. We do not support the older and less secure TLS 1.1 and 1.0 protocols.
The my.sirv.com web application scores the highest possible A+ grade, awarded for exceptional SSL configurations. Currently supported ciphers are shown live at SSL Labs.
Data is uploaded to your Sirv bucket either by HTTPS through the my.sirv.com web app, the S3 API, or the Sirv REST API. Data can also be transmitted by FTP, though FTP is an inherently less secure protocol and can be disabled via the settings page of your Sirv account, for greater security.
User access
Users login to Sirv with an email and password. Verification uses one-way encryption, meaning passwords are stored using a strong salted hash. Your account can have multiple users, with role based access, to control permissions per user. Two-factor authentication is an optional account security feature.
Login information is further protected by access restrictions and critical information (including your password) is encrypted when stored.
Logging and cookie management
We use cookies to authenticate users when they login to your Sirv account. We use session IDs to identify user connections, contained in HTTPS-only cookies not available to JavaScript.
Payment processing
Credit card payments are sent directly to our credit card processor over HTTPS. Card details are neither stored on nor pass through Sirv’s servers. Both Sirv and our credit card processor are PCI compliant. We submit a self assessment (SAQ A 3.2) for PCI compliance annually. A copy of our PCI compliance certificate can be provided under NDA upon request.
Contact Us
If you have any questions about this security policy or anything else about our company and services, please contact us.