<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=348068&amp;fmt=gif">
Couchdrop Cloud SFTP logo

Security, Privacy & Compliance

Security built for today's threats

Your data is under active protection with continuous monitoring, automated threat response, and independent security testing. We're certified (SOC 2, HIPAA-ready, GDPR), but what matters is the ongoing work that happens between audits.

View Trust Center Request pen test report
SOC 2 Compliance HIPAA Ready GDPR Ready

Continuous scanning

The Aikido security platform continuously scans our infrastructure for vulnerabilities and misconfigurations. 

Behavioral monitoring

Anomaly detection identifies threats instantly. Rate limiting and lockouts stop attacks before they succeed.

Penetration testing

Gray and black hat penetration tests are performed regularly by independent security firms.

Data Security

Your data is encrypted everywhere, with no permanent storage and granular access controls.

End-to-End Encryption

Your files are encrypted at all points of the transfer process:

  • In transit: TLS 1.2+ for all connections, secure protocols for transfers, and HTTPS for web access
  • At rest: Files stay within your platforms and aren’t stored at rest unless using optional hosted storage in AWS S3 that employs AES-256 encryption
  • Infrastructure: Full-disk encryption on all servers and storage systems

Cloud Storage

When bringing your own storage (SharePoint, AWS S3, etc), files stay within the connected storage platform, and Couchdrop simply works as a secure bridge between different systems and never stores the files at any time.

Hosted Storage

Couchdrop Hosted Storage is encrypted using AES-256 via SSE-C from Amazon S3, which facilitates client-side key-based encryption. Each customer has their own set of keys used to encrypt data in hosted S3 storage and can choose from four international storage regions.

Access Controls

Admins can set granular access controls at both the user and organization level, including:

  • User root isolation to any folder with granular read/write access control
  • Multi-factor authentication (2FA) available across all plans
  • IP whitelisting and feature restrictions
  • SSO integration with your existing identity systems
  • Automatic session timeouts and lockout policies
  • Custom secure password policy configurations and lockout after multiple failed login attempts

Detailed Audit Logging

All system events, including authentication, transfers, and admin events, are logged and available to view at any time. Couchdrop can also send log events directly to your SIEM provider. 

Infrastructure Security

Our infrastructure is built cloud-native with automated security updates and comprehensive firewall protection.

Infrastructure as Code

All infrastructure is provisioned and managed through code with microservices and containerization architecture. Components are isolated and can be updated independently, while systems can be rapidly replaced if compromised without single points of failure.

Firewall and Network Protection

Feature and protocol restrictions and configurable ACLs backed by infrastructure-wide web application firewalls, rate limiting, and IP controls help ensure only authorized traffic has access to your environment.

Automatic Updates & Patching

Ongoing infrastructure scans from Aikido check for vulnerabilities and known CVEs, and any critical issues are addressed within a day, with patches and updates delivered to users automatically.

Device and Endpoint Security

All company devices use encrypted Apple hardware with system integrity protection, full-disk encryption (FileVault), automatic security updates, remote management capabilities, and strong device access policies.

Business Continuity

Our platform is fully redundant with the ability to shift to new cloud infrastructure within 24 hours if needed. Being cloud-native across the entire organization provides flexibility and resilience that traditional on-premise solutions cannot match.

Privacy & Data Handling

Couchdrop operates under a data minimization framework that leaves you in control of your data.

Data Minimization

We collect only the data necessary to provide our service. We don't store your file contents permanently, and we don't scan or analyze your data for any purpose other than providing the file transfer service.

Data Sovereignty

You choose where your data is stored. With bring-your-own-storage, your data never leaves your chosen cloud provider. With our hosted storage, you can select the specific geographic region for your data.

Account Metadata

Account metadata includes usernames, OAUTH, and other user credential sets required for the Couchdrop service. Metadata is stored in encrypted databases located in SOC2-compliant data centers in the USA and is only accessible via Couchdrop’s secure API. 

Data Retention and Deletion

Couchdrop only collects and retains data necessary to provide our service:

  • Account data is purged 90 days after cancellation
  • Temporary processing data is deleted immediately after transfer
  • Audit logs are retained for security and compliance purposes
  • Credit card information is never stored and is handled by PCI-compliant payment processors

Employee Access and Training

All Couchdrop staff are screened using a process that includes checking professional references, education, and background. Each employee also undergoes annual security awareness training. 

Support staff can access customer accounts for troubleshooting, but this can be disabled in account security settings. All Support activity is logged and monitored by our operations team.

Third-Party Processors

We work with vetted subprocessors for specific functions like payment processing and infrastructure hosting. The complete list of third-party processors is available in our Trust Center.

Monitoring & Incident Response

Continuous infrastructure monitoring and a comprehensive incident response plan minimize data risk.

24/7 Monitoring

Couchdrop’s ongoing security monitoring checks for unusual access patterns, failed login attempts, and system anomalies, immediately alerting our security team if there are any suspicious behaviors.

Incident Investigation

When monitoring detects potential issues, detailed forensic data enables rapid investigation and root cause analysis. Complete audit trails help quickly determine what happened and who was involved.

Incident Response Plan

We have a documented Security Incident Response Plan with immediate containment protocols, forensic analysis capabilities, and customer notification within 72 hours if your data is affected.

Compliance & Auditing

Couchdrop meets several compliance frameworks and maintains 78 specific security controls that are monitored continuously. Independent audits and certifications are available for review through our Trust Center.

SOC 2 Compliance Badge for Vanta

SOC 2 Type II Certified

Couchdrop is SOC 2 Type II certified and has annual third-party SOC 2 audits

See more about Couchdrop and SOC 2 →

HIPAA Compliance Badge for Vanta

HIPAA Ready

Couchdrop will sign a BAA and provides dedicated HIPAA-ready infrastructure

See more about Couchdrop and HIPAA →

GDPR Compliance Badge for Vanta

GDPR Ready

Couchdrop is audited for GDPR and has a DPA available to view in our Trust Center

See more about Couchdrop and GDPR →

Security documentation available

All security documentation, audit reports, and technical specifications are maintained in our Trust Center with real-time updates to security control status.

SOC 2 audit reports (Type I and Type II)
Security whitepapers and technical documentation
Request penetration test reports (available under NDA)
GDPR Data Processing Agreements

Contact Security Team

security@couchdrop.io

For technical security questions during evaluation, our team can provide detailed technical specifications and walk through our security architecture.

For more information on security including white papers, compliance reports, and monitoring, see our Trust Center.

Visit Trust Center →
Vanta logo