Does Couchdrop have any security or compliance certifications?
Yes, Couchdrop is SOC2 Type 2 certified and also holds the UK National Cyber Security Centre, Cyber Essentials certification.

Are there staff dedicated to information security?
Security is led by both the CTO and COO but security is everybody's responsibility inside and outside of Couchdrop and therefore it is a shared responsibility across the organisation.

Are there risk management procedures?
Yes. Couchdrop uses management procedures, including identification of threats, vulnerabilities and consequences and using treatment options to reduce residual risk to an acceptable level.

Is there an Information Security Policy?
Yes. Couchdrop has multiple policies to cover InfoSec assets and include topics such as Acceptable Use, Access Control, Encryption, etc.

Is there a Disaster and Business Continuity Plan?
Yes. Couchdrop is a modern architected platform that is fully redundant in its day to day sense. Should an issue arise Couchdrop has the ability to shift to a new cloud platform in less than 24 hours. Additionally, Couchdrop is a cloud native business across the entire organisation, due to this it enables flexibility and resilience in all areas of the business.

How do program updates get installed?
Couchdrop is a Software as a Service (SaaS) platform and as such is continuously updated to address bug fixes and add new features.

Is there a Change Management process?
Yes. Couchdrop completes pre-production testing and approval.

Does Couchdrop complete employment checks prior to hiring?
Yes. Couchdrop employees are screened using a process that includes checking professional references, background and education prior to employment. All employees sign confidentiality agreements and undergo annual security awareness training as part of the onboarding process.

Is there an employee termination process?
Yes. Should an employee leave the company all access is immediately revoked from all of Couchdrop’s systems, platform and software.

What physical/environmental controls are in place for Couchdrop’s infrastructure?
Couchdrop has been engineered to take advantage of the Digital Ocean and Amazon Web Services (AWS) native infrastructure that includes multiple physical and environment controls as reported in both ISO 27001 and SOC 2 AWS and Digital Ocean audit documents reviewed annually.

Is Couchdrop access logged?
Yes. Separate access and operational logs are maintained on all underlying systems. Couchdrop application logs are available in its interface in real-time and detail login events, through to file operations.

Can we manage our own data retention?
Yes. If you bring your own storage you have the full capability to maintain data retention to your requirements without Couchdrop being involved. If you choose to use Couchdrop’s hosted storage, backups for a 30-day period are retained.

What is Couchdrop’s SLAs?
Unless you have a dedicated presence with otherwise agreed SLAs. Couchdrop’s uptime SLA is 99.9%, with an Recovery Time Object (RTO) of 2-4 hours and Recovery Point Objective (RPO) of having the whole platform functional with minimal loss of transactions or data.

Can we use 2FA/MFA on our account?
Yes, 2FA is available across all plans and for accounts logging into the web portal.

How long do Couchdrop web sessions last for?
Couchdrop web sessions last for a maximum of 30-days before termination.

Can we control access to our account from specific locations?
Couchdrop enables the ability to set specific firewall rules per user. This is regardless if the user is a client uploading via SFTP or an administrator  logging in to conduct management via the admin portal.

Can our users stay connected all day?
Couchdrop automatically times out sessions at specific intervals depending on the connection means. 

Is our data encrypted?
For data in transit data is encrypted using either HTTPS (TLS 1.2 minimum) or SSH depending on the protocol used. This only applies to organisations that opt to use secure protocols such as HTTPS, SFTP, FTP/S, SCP, S3 and Rsync with the correct options. Insecure methods such as FTP will not be encrypted for the communication from the FTP client to the Couchdrop platform, however the data will be encrypted when being transferred into the storage itself through HTTPS.

For data at rest using Couchdrop’s hosted storage, data is encrypted using AES256. When bringing your own storage data encryption responsibility sits with either yourself as the bucket owner or with your chosen storage vendor.

Additionally, Couchdrop enables you to further encrypt your data using PGP encryption when using Couchdrop automate and its file workflows feature.

Can we do our own penetration test against Couchdrop?
Due to the potential load this places on our systems, we limit this activity to clients on our Enterprise plan and above. You must coordinate with us before performing any testing and you must also agree to share the results of your testing.

Is data stored outside the US?
Couchdrop enables its customers to bring its own storage. Through this offering it provides customers the assurance and ability to have full control and visibility of their data at rest. This ensures customers can apply their own data retention, backup and security policies to the data at rest and apply other third party solutions (such as anti-virus) to the data without being locked in with Couchdrop as a solution. If choosing Couchdrop hosted storage then Couchdrop provides the ability to choose which region your storage bucket resides.

How is our data kept secured from other users?
Couchdrop is a multi-tenant Software as a Service (SaaS) and separates all customer’s data through industry best practices. 

If we leave, will you keep our data?
No. Couchdrop will purge your client site information and data after ninety (90) days. Purged data is not recoverable. The cancellation procedure is built into the Couchdrop product and is initiated by your administrators.

What about our credit card data?
Couchdrop does not store credit card data. Client credit card information is stored in a highly secure, PCI-compliant system by our payment vendors Stripe, Xero and PayPal.

Can your staff access our data?
Couchdrop’s support team may access your file metadata (not file data) and logs for support purposes only, and with explicit permission initiated by your site admins following a validation process built into the administration system.

Couchdrop’s engineering staff have access to the underlying technology that can access metadata and log information and the storage locations of the actual data. The encryption keys required to decrypt the actual data are stored in a key-management escrow service operated by Doppler.

It is possible within the product to block all access from Couchdrop employees. It is a check box under Administration -> Security.

Do you have any third-party audits?
Couchdrop has been engineered in a modern capacity to take advantage of the Amazon Web Services (AWS) and Digital Ocean infrastructure and platforms which includes annual ISO 27001 and SOC 2 reviews. Couchdrop's agreement with both providers contains the requirements we have determined are necessary for compliance with Couchdrop security policies.

I have more questions, how do I best get more clarification?

Should you have further questions outside of the whitepaper or this FAQ, it is recommended that you contact your Couchdrop sales or support representative to schedule a call with the appropriate team to answer your questions. As previously clarified, Couchdrop has a firm company policy to not accept “standardised” security questionnaires.