Security, Privacy & Compliance
Security built for today's threats
Your data is under active protection with continuous monitoring, automated threat response, and independent security testing. We're certified (SOC 2, HIPAA-ready, GDPR), but what matters is the ongoing work that happens between audits.
Continuous scanning
The Aikido security platform continuously scans our infrastructure for vulnerabilities and misconfigurations.
Behavioral monitoring
Anomaly detection identifies threats instantly. Rate limiting and lockouts stop attacks before they succeed.
Penetration testing
Gray and black hat penetration tests are performed regularly by independent security firms.
Data Security
Your data is encrypted everywhere, with no permanent storage and granular access controls.
End-to-End Encryption
Your files are encrypted at all points of the transfer process:
- In transit: TLS 1.2+ for all connections, secure protocols for transfers, and HTTPS for web access
- At rest: Files stay within your platforms and aren’t stored at rest unless using optional hosted storage in AWS S3 that employs AES-256 encryption
- Infrastructure: Full-disk encryption on all servers and storage systems
Cloud Storage
When bringing your own storage (SharePoint, AWS S3, etc), files stay within the connected storage platform, and Couchdrop simply works as a secure bridge between different systems and never stores the files at any time.
Hosted Storage
Couchdrop Hosted Storage is encrypted using AES-256 via SSE-C from Amazon S3, which facilitates client-side key-based encryption. Each customer has their own set of keys used to encrypt data in hosted S3 storage and can choose from four international storage regions.
Access Controls
Admins can set granular access controls at both the user and organization level, including:
- User root isolation to any folder with granular read/write access control
- Multi-factor authentication (2FA) available across all plans
- IP whitelisting and feature restrictions
- SSO integration with your existing identity systems
- Automatic session timeouts and lockout policies
- Custom secure password policy configurations and lockout after multiple failed login attempts
Detailed Audit Logging
All system events, including authentication, transfers, and admin events, are logged and available to view at any time. Couchdrop can also send log events directly to your SIEM provider.
Infrastructure Security
Our infrastructure is built cloud-native with automated security updates and comprehensive firewall protection.
Infrastructure as Code
All infrastructure is provisioned and managed through code with microservices and containerization architecture. Components are isolated and can be updated independently, while systems can be rapidly replaced if compromised without single points of failure.
Firewall and Network Protection
Feature and protocol restrictions and configurable ACLs backed by infrastructure-wide web application firewalls, rate limiting, and IP controls help ensure only authorized traffic has access to your environment.
Automatic Updates & Patching
Ongoing infrastructure scans from Aikido check for vulnerabilities and known CVEs, and any critical issues are addressed within a day, with patches and updates delivered to users automatically.
Device and Endpoint Security
All company devices use encrypted Apple hardware with system integrity protection, full-disk encryption (FileVault), automatic security updates, remote management capabilities, and strong device access policies.
Business Continuity
Our platform is fully redundant with the ability to shift to new cloud infrastructure within 24 hours if needed. Being cloud-native across the entire organization provides flexibility and resilience that traditional on-premise solutions cannot match.
Privacy & Data Handling
Couchdrop operates under a data minimization framework that leaves you in control of your data.
Data Minimization
We collect only the data necessary to provide our service. We don't store your file contents permanently, and we don't scan or analyze your data for any purpose other than providing the file transfer service.
Data Sovereignty
You choose where your data is stored. With bring-your-own-storage, your data never leaves your chosen cloud provider. With our hosted storage, you can select the specific geographic region for your data.
Account Metadata
Account metadata includes usernames, OAUTH, and other user credential sets required for the Couchdrop service. Metadata is stored in encrypted databases located in SOC2-compliant data centers in the USA and is only accessible via Couchdrop’s secure API.
Data Retention and Deletion
Couchdrop only collects and retains data necessary to provide our service:
- Account data is purged 90 days after cancellation
- Temporary processing data is deleted immediately after transfer
- Audit logs are retained for security and compliance purposes
- Credit card information is never stored and is handled by PCI-compliant payment processors
Employee Access and Training
All Couchdrop staff are screened using a process that includes checking professional references, education, and background. Each employee also undergoes annual security awareness training.
Support staff can access customer accounts for troubleshooting, but this can be disabled in account security settings. All Support activity is logged and monitored by our operations team.
Third-Party Processors
We work with vetted subprocessors for specific functions like payment processing and infrastructure hosting. The complete list of third-party processors is available in our Trust Center.
Monitoring & Incident Response
Continuous infrastructure monitoring and a comprehensive incident response plan minimize data risk.
24/7 Monitoring
Couchdrop’s ongoing security monitoring checks for unusual access patterns, failed login attempts, and system anomalies, immediately alerting our security team if there are any suspicious behaviors.
Incident Investigation
When monitoring detects potential issues, detailed forensic data enables rapid investigation and root cause analysis. Complete audit trails help quickly determine what happened and who was involved.
Incident Response Plan
We have a documented Security Incident Response Plan with immediate containment protocols, forensic analysis capabilities, and customer notification within 72 hours if your data is affected.
Compliance & Auditing
Couchdrop meets several compliance frameworks and maintains 78 specific security controls that are monitored continuously. Independent audits and certifications are available for review through our Trust Center.
SOC 2 Type II Certified
Couchdrop is SOC 2 Type II certified and has annual third-party SOC 2 audits
HIPAA Ready
Couchdrop will sign a BAA and provides dedicated HIPAA-ready infrastructure
GDPR Ready
Couchdrop is audited for GDPR and has a DPA available to view in our Trust Center
Security documentation available
All security documentation, audit reports, and technical specifications are maintained in our Trust Center with real-time updates to security control status.
Contact Security Team
For technical security questions during evaluation, our team can provide detailed technical specifications and walk through our security architecture.
For more information on security including white papers, compliance reports, and monitoring, see our Trust Center.
Visit Trust Center →