Security Management Systems
ISO 27001:2013 Certification confirmed by SRI an independent, world class ISO certification organization and accredited Registrar Company.
Nov 29 2021 SRI confirmed ShareVault had implemented the necessary security measures and countermeasures to safeguard the security management systems from compromise or unauthorized access. The ISO 27001:2013 certification is evidence that ShareVault takes any threats to data integrity, information security and confidentiality very seriously.
FDA Regulation Title 21 CFR Part 11
ShareVault welcomes audits by qualified personnel to verify that we have met the requirements of 21 CFR Part 11. Validation of ShareVault data room compliance with 21 CFR 11 is a standard part of our Quality process with every release.
Each release is accompanied by a Validation Summary and a complete 21 CFR 11 Validation Package containing all the necessary information, test scripts and instructions for any customer to be able to conduct their own validation and sign off the IQ, OQ and PQ themselves.
ShareVault is deployed in a Virtual Private Cloud (VPC) managed by RackSpace and hosted by Amazon Web Services (AWS). The ShareVault architecture assures compliance, comprehensive security, high availability, elastic scalability and outstanding performance so that our customers can rest assured that their critical information is kept safe and can be accessed by authorized users at any time without waiting. ShareVault IT infrastructure is managed by RackSpace, an AWS Premier Consulting Partner. AWS provides the dedicated hardware, secure data center, advanced resiliency functions and the optimized and secure networking technology.
ShareVault is used for applications that demand adherence to stringent security standards for protection of sensitive information, so our customers expect compliance with a variety of standards, and count on us to provide cutting-edge security functionality.
ShareVault servers are dedicated instances located in an AWS virtual private cloud (VPC), assuring that the hardware is not shared with other AWS accounts. Each of ShareVault's AWS server instances are hardened according to RackSpace’s best practices and in accordance with the relevant security standards. RackSpace management services provide dedicated 24/7/365 real-time monitoring for network/applications, system anomalous events, emerging threats, event investigation, detection escalation, and incident response support. The layered security architecture is based on separate public and private subnets combined with AWS security groups to maximize isolation and limit access. Backend access to the servers for maintenance is done only via secure bastion servers or VPN through a firewall.
Secure Software Development
ShareVault software engineers and quality control personnel are periodically trained on secure software development methodologies, and our application regularly undergoes third party vulnerability assessments by a leading web application security consultancy, including both automated vulnerability scanning and systematic manual penetration testing.
Platform Infrastructure Certifications
RackSpace’s AWS services are certified SOC 1/2/3, PCI, ISO 90001 / 27001 / 27017 / 27018, FedRAMP Moderate, DoD CC SRG IL2, HIPAA, and HITRUST. These security certifications are essential to ShareVault since our customers’ files often contain personally identifiable information (PII), protected health information (PHI), and other sensitive information. Also, these certifications confirm that trusted third parties have verified for our adherence to the proclaimed security controls and their effectiveness.
Two-Step Verification (Two-Factor Authentication)
ShareVault offers two-step verification (also known as two-factor authentication), which enhances the security of a user's login process by requiring the entry of a secure code which is either delivered by text message to the user's phone, or via an Authenticator app, such as Google Authenticator, Microsoft Authenticator, Authy, Duo or LastPass Authenticator on the user's smartphone.
Confidentiality Notice, with Optional Clickwrap Compliance
You can configure ShareVault to display a customizable notice to users upon login, which can be used to declare the shared documents as confidential. You can tailor both the content and formatting of the notice according to your needs. With ShareVault Express, a single confidentiality notice can be configured for your all end users. With ShareVault Pro and ShareVault Enterprise you can create multiple confidentiality notices, and each can be assigned to a different user group.
For applications requiring that the confidentiality notice be legally enforceable according to UETA and ESIGN requirements, ShareVault Enterprise can be configured with the Clickwrap Compliance option. With the Clickwrap Compliance option, each user's acceptance of the confidentiality notice is separately recorded, with version control of the notice's contents. Users are required to scroll through the entire agreement, and are notified when the the content of the notice has changed since their previous login.
Encryption at Rest with Key Management
Files stored on ShareVault are encrypted at rest with AES 256 using key management that prevents access to your files via the ShareVault back end. Keys are only accessible via an authenticated session, and are never stored to disk. Because of this, the only way to open files in ShareVault is by using the ShareVault web application.
Customer Managed Encryption Keys
ShareVault also offers Customer Managed Keys (CMK) as an option for ShareVault Pro and Enterprise, providing the ultimate in encryption key management security for applications that demand the highest level of data security, but without the complexity of deploying and maintaining your own HSM (Hardware Security Module). We also support "Bring Your Own Key" (BYOK), so your IT team can integrate your own KMS instance for further isolation and further increased security.
Encryption in Transit with Extended Validation
All connections to ShareVault servers are via HTTPS over Secure Sockets Layer (SSL), providing AES 256 encryption in transit. Our Enhanced Validation (EV) certificate provides assurance that best practices have been followed for domain identity validation.
In some cases, it’s useful for a user to be able to see the name and identity of another user in ShareVault – you might want to allow users in the same group (users in the same company or a company’s law firm, for example) to be able to see their colleague’s name as the uploader of a file, or to be able to see the history of documents viewed by a colleague.
However, in other cases, it is essential to prevent users from seeing the name and identity of another user. Users who belong to two different groups corresponding to competing companies, for example, should not be able to see each other’s names, identity, or history.
ShareVault has a simple and elegant solution to manage inter-group privacy. It’s quick and easy to configure, and it automatically applies the appropriate privacy rules as needed by revealing, anonymizing or hiding user identity information, as appropriate.
GDPR, CCPA and PrivacyShield
The ShareVault infrastructure is based on a high-availability architecture with redundancy at multiple levels. At all times, there are at least two instances of each of the server types located in two different AWS availability zones, ensuring geographic redundancy, independent infrastructure, and real-time failover in the event of a failure.
Additionally, snapshots of all servers in the ShareVault infrastructure are written daily to encrypted AWS S3 storage so that in the highly unlikely event of both availability zones being affected in the AWS Region that hosts ShareVault, a disaster recovery of ShareVault can be quickly deployed from the snapshot. Encryption keys for the customer data files are stored in a separate AWS region so that they can be accessed for disaster recovery.
Virtually all software updates, enhancements and bug fixes can be applied in stages to one server at a time, while the other server(s) handle user activity, which eliminates even planned downtime.
† Excluding planned downtime.
of your most confidential