The ShareVault platform provides bank-grade security, privacy, availability, and compliance. ShareVault is used for applications that demand adherence to stringent security standards for protection of sensitive information, so our customers expect compliance with a variety of standards, and count on us to provide cutting-edge security and privacy functionality.
Information Security Standards Compliance
ShareVault is ISO 27001:2013 certified, confirming that ShareVault has implemented the necessary security measures and countermeasures to safeguard the security management systems from compromise or unauthorized access, assuring data integrity, information security and confidentiality. Compliance has been confirmed by SRI an independent, world class ISO certification organization and accredited Registrar Company. Click here to view the certificate. The authenticity of this certificate may be verified here: www.SRIRegistrar.com
Furthermore, our infrastructure partner (AWS) is certified SOC 1/2/3, PCI, ISO 90001 / 27001 / 27017 / 27018, FedRAMP Moderate, DoD CC SRG IL2, HIPAA, and HITRUST. These security certifications are essential to ShareVault since our customers’ files often contain personally identifiable information (PII), protected health information (PHI), and other sensitive information. Also, these certifications confirm that trusted third parties have verified for our adherence to the proclaimed security controls and their effectiveness.
Regulation Title 21 CFR Part 11
For customers subject to regulation by the FDA, ShareVault offers an optional 21 CFR Part 11 compliance package. Under this program, clients receive a validation package containing all the necessary release information, test scripts and instructions for any customer to be able to conduct their own validation and sign off the IQ, OQ and PQ themselves. The package also includes support of audits by qualified personnel to verify that we have met the requirements of 21 CFR Part 11.
GDPR, CCPA and PrivacyShield
The ShareVault platform assures comprehensive security, high availability, elastic scalability, and outstanding performance so that our customers can rest assured that their critical information is kept safe and can be accessed by authorized users at any time without waiting. The scalable cloud services, dedicated hardware, secure data center, advanced resiliency functions and secure networking technology on which the ShareVault platform is deployed are provided by Amazon Web Services (AWS), with DNS Security and DDoS protection assured by Cloudflare.
ShareVault servers are located in an AWS virtual private cloud (VPC), using dedicated instances assuring that the hardware is not shared with other AWS accounts. Each of ShareVault's AWS server instances are hardened according to industry best practices and in accordance with the relevant security standards.
Crowdstrike provides the information security service for the ShareVault platform, including dedicated 24/7/365 real-time monitoring for network/applications, system anomalous events, emerging threats, event investigation, detection escalation, and incident response support. The layered security architecture is based on separate public and private subnets combined with AWS security groups to maximize isolation and limit access. Backend access to the servers for maintenance is done via VPN through a firewall.
The ShareVault infrastructure is based on a high-availability architecture with redundancy at multiple levels. The result is that ShareVault has consistently delivered over 99.9% uptime† since we launched in 2006. At all times, there are at least two instances of each server type located in two different AWS availability zones, ensuring geographic redundancy, independent infrastructure, and real-time failover in the event of a failure.
Additionally, snapshots of all servers in the ShareVault infrastructure are written daily to encrypted AWS S3 storage so that in the highly unlikely event of both availability zones being affected in the AWS Region that hosts ShareVault, a disaster recovery of ShareVault can be quickly deployed from the snapshot. Encryption keys for the customer data files are stored in a separate AWS region so that they can be accessed for disaster recovery.
In order to minimize downtime, most software updates, enhancements and bug fixes can be applied in stages to one server at a time, while the other server(s) handle user activity.
To comply with your country's data residency regulations, your ShareVault account can be deployed in any of the 33+ geographic regions in AWS's global infrastructure. User experience is seamless across regions — users need only maintain one password and user profile, and their login experience flows smoothly and transparently based on the geographic regions to which they belong.
Secure Software Development
ShareVault practices SSLDC (Secure Software Development Life Cycle) management. ShareVault software engineers and quality control personnel are periodically trained on secure software development methodologies, and our application regularly undergoes third party vulnerability assessments by a leading web application security consultancy, including both automated vulnerability scanning and systematic manual penetration testing.
Encryption at Rest with Key Management
Files stored on ShareVault are encrypted at rest with AES 256 using key management that prevents access to your files via the ShareVault back end. Keys are only accessible via an authenticated session, and are never stored to disk. Because of this, the only way to open files in ShareVault is by using the ShareVault web application.
Customer Managed Encryption Keys
ShareVault also offers Customer Managed Keys (CMK) as an option for ShareVault Enterprise, providing the ultimate in encryption key management security for applications that demand the highest level of data security, but without the complexity of deploying and maintaining your own HSM (Hardware Security Module). We also support "Bring Your Own Key" (BYOK), so your IT team can integrate your own KMS instance for further isolation and increased security.
Encryption in Transit with Extended Validation
All connections to ShareVault servers are via HTTPS over Secure Sockets Layer (SSL), providing AES 256 encryption in transit. Our Enhanced Validation (EV) certificate provides assurance that best practices have been followed for domain identity validation.
ShareVault connectors are implemented using security best practices so that your files shared via the connectors are kept safe:
- Connectors are managed by the customer, not ShareVault, and no passwords are shared or stored.
- Connectors are built using your cloud service provider's public API (Box API, DropBox API, Microsoft API, Google API, Docusign API) authenticated by your unshared credentials.
- Connector data flow is unidirectional into ShareVault via an encrypted tunnel — There is no data flow from ShareVault into your cloud service provider, so the content hosted at your service provider cannot be changed by ShareVault.
- The ShareVault side is managed by the customer, and its connection has no publicly exposed attack surfaces.
- Moreover, ShareVault does not use (and has never used) SFTP or equivalent tools such as MOVEit for any purpose including for connectors data transfer.
Two-Step Verification (Two-Factor Authentication)
ShareVault offers two-step verification (also known as two-factor authentication), which enhances the security of a user's login process by requiring the entry of a secure code which is either delivered by text message to the user's phone, or via an Authenticator app, such as Google Authenticator, Microsoft Authenticator, Authy, Duo or LastPass Authenticator on the user's smartphone.
Confidentiality Notice, with Optional Clickwrap Compliance
You can configure ShareVault to display a customizable notice to users upon login, which can be used to declare the shared documents as confidential. You can tailor both the content and formatting of the notice according to your needs. With ShareVault Express, a single confidentiality notice can be configured for all your end users. With ShareVault Pro and ShareVault Enterprise you can create multiple confidentiality notices, and each can be assigned to a different user group.
For applications requiring that the confidentiality notice be legally enforceable according to UETA and ESIGN requirements, ShareVault Enterprise can be configured with the Clickwrap Compliance option. With the Clickwrap Compliance option, each user's acceptance of the confidentiality notice is separately recorded, with version control of the notice's contents. Users are required to scroll through the entire agreement, and are notified when the the content of the notice has changed since their previous login.
In some cases, it’s useful for a user to be able to see the name and identity of another user in ShareVault – you might want to allow users in the same group (users in the same company or a company’s law firm, for example) to be able to see their colleague’s name as the uploader of a file, or to be able to see the history of documents viewed by a colleague.
However, in other cases, it is essential to prevent users from seeing the name and identity of another user. Users who belong to two different groups corresponding to competing companies, for example, should not be able to see each other’s names, identity, or history.
ShareVault has a simple and elegant solution to manage inter-group privacy. It’s quick and easy to configure, and it automatically applies the appropriate privacy rules as needed by revealing, anonymizing or hiding user identity information, as appropriate.
† Excluding planned downtime.
of your most confidential