safedrop has been developed by Od Consultancy Ltd, and by the same team that have have provided ultra secure dataroom service PROJECTFUSION since 2001. As a result, safedrop security is based on proven systems and processes that have helped facilitate thousands of datarooms - for clients ranging from law firms like CMS Cameron McKenna, to KPMG, Rothschild and many other financial services firms. We are fanatical about security - from having to use a passphrase for password resets, to being unable to view data without 2 tier authentication, every facet of safedrop is designed from the ground up to look after your data. Only 3 named senior staff have the potential to see your data. Your files are encrypted in transit and at rest, and are never ever stored in the clear.

application security

“If you reveal your secrets to the wind, you should not blame the wind for revealing them to the trees.” — Kahlil Gibran

2 tier access

A username and password or API key is required to send a safedrop. If users want to gain access to sent drops, or old data, they will have to provide a second tier of authentication, either an email or sms token. For a hacker to get to the users data, they have to get the password, and also compromise the users email or phone account.

Encryption in transit and at rest

Each safedrop is encrypted at rest with a different key. So even if a hacker managed to gain access to the repository and brute force attacked one file, they wouldn’t have access any of the other files. safedrops are encrypted from the server to the browser using industry standard SSL encryption.

Account & Password Security

User passwords are encrypted on the server. Password resets require a valid email address and a passphrase response. If a sender or recipients email address or passphrase is compromised, their data is still protected. A "three strikes and suspend" policy means that any user who logs in incorrectly 3 times in a row is temporarily locked out. This prevents brute force password attacks.

Audit trail

All transmissions are logged for security purposes. All file deliveries and recipients are stored in a database accessible by system administrators. Files are not stored after their validity has expired, however we store SHA-1 checksums for each file.

safedrop message security

“The user's going to pick dancing pigs over security every time.” — Bruce Schneier

Minimising the capture window

safedrop introduces two concepts to maximise security. ‘Self Destruct’ means a document is deleted from our servers after it has been download by all recipients. With this setting a recipient only gets one chance to download the safedrop message and attachments. safedrop messages also have a validity time, after which they are deleted permanently from the server. A combination of delete on download and a short validity time ensures high security. A self destruct message URL is useless after download, and cannot be forwarded or used again.

Level 1 Security - Unguessable message ID's

safedrops are given long identifying URLs that are sent in the email to the recipient. These are unguessable (well you have a 1 in 3x1038 chance, and even then, you’d still have to know which email address it was destined for).

Level 2 Security - Default - Unguessable message ID's & Email verification

As well as receiving a long identifying URL by email, users accessing a safedrop with level 2 security must first validate their computer by receiving an email security token, which they enter to access the drop. They may choose to mark the computer as ‘private’, in which case they will not be asked for an email token again for 28 days on that computer. This use of tokens and URL’s prevents users from sharing the long URL with other people.

Level 3 - SMS for 2 tier recipient authentication

With optional phone security when the recipient collects the message, recipients will have to collect an SMS and type in the one time pin code provided. This provides 2 tier authentication.

Strong default security

People don’t care about security, especially when they’re in a hurry. So our default sending mode is level 2 security. Extra security is easy to add.

Revoke messages

We all make mistakes. With safedrop, if you send a message to the wrong people, you can revoke it.

Want more?!

If you can describe it, we will try to implement it! Just get in touch and let us know what you would like.

people and process security

"You can't hold firewalls and intrusion detection systems accountable. You can only hold people accountable." — Daryl White, DOI CIO

All employees trained on information security and privacy procedures

First line support personnel have no access to confidential information, client data or backend systems. Our expert 3 man support team, under strict NDA, are the only people with access to your server. Written permission is required before our support team will view or examine any files in your safedrop instance. New starts are identity checked to BS7858 level, and employed for at least 4 months before being given access to servers. Systems access logged and tracked for auditing. Full documented change management procedures.

infrastructure security

"The mantra of any good security engineer is: 'Security is a not a product, but a process.' It's more than designing strong cryptography into a system; it's designing the entire system such that all security measures, including cryptography, work together." — Bruce Schneier

All data stored in at least 2 European Data Centres

All servers are hosted in European SAS Type II and ISO 27001 compliant data centres. All data and backups kept in Europe at all times, meeting European data protection requirements. All data is stored in at least two geographically separate data centres at any time.

HIPPA Compliance

safedrop meets the US Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements.

3rd Party Audits

Servers & applications are scanned, penetration tested and security checked to the application level every 12 months to meet standard criteria and a specific threat profile for online document delivery. Please contact our sales team if you wish to conduct your own security audit, or examine a recent audit we’ve completed.

Server access and logging

Server access is strongly restricted with n-tier restrictions. We use sudo to maintain an audit trail of system administration duties. No development work is undertaken on production servers, and no developer logons are available. System only exposes port 443 to the world.

System Development Life Cycle

Proprietary formal SDLC in place. All development work is undertaken on local test environment. After passing internal phase 1 testing, new releases are moved to staging environment for stage 2 test, which tests for logical errors, security errors, cross site errors etc. After passing stage 2, release approved and moved onto external sites.