All files at rest (signed and faxed files) are encrypted using 256-bit Advanced Encryption Standard (AES), with unique encryption keys for each user. To protect data in transit between our apps (currently mobile, API, or web) and our servers, we use Transport Layer Security (TLS) which is evolved from a previous encryption protocol called Secure Sockets Layer (SSL), for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. We support TLS 1.3 which is faster and more secure than TLS 1.2 and adds an additional layer of privacy to an encrypted period, making certain that the two endpoints are the only ones capable of decrypting the traffic.
To increase stability, performance and security, our system architecture is based on an n-tier architecture with multiple layers of protection, including encryption, network configuration, and application-level controls distributed across a scalable, secure infrastructure.
Our security team performs automated and manual application security testing on a regular basis to identify and patch potential security vulnerabilities and bugs on our web and mobile applications. We also perform annual security testing through third-party audits, allowing us to quickly resolve any possible issues found on our web, API, or mobile applications. To further reduce the risk of security incidents, we are also part of security platforms such as HackerOne.
Our key management infrastructure which is used for the encryption of files at rest (signed files and faxed files) is designed with operational, technical, and procedural security controls with very limited direct access to keys.
Aside from complex network level firewalls, we use enterprise-class web application firewalls (WAF) to protect our service from vulnerabilities like SQL injection attacks, cross-site scripting, and cross-site forgery.
All faxed files and signed files are only stored in Swiss datacenters that operate from locations conforming to the most restrictive security standards (ISO 27001) and are part of the Cloud Security Alliance (CSA). One of our datacenters is located in Zurich buried underground the Alps in a former military anti-atomic command and control center and the other is in Geneva, close to European financial ecosystems and global markets. To address regional and country-specific data privacy and residency requirements, customers can move their fully encrypted files in between datacenters located in different locations worldwide. Learn more about Data Residency
We make use of a CDN with network capacity 15x bigger than the largest DDoS attack ever recorded to protect our service from potential DDoS attacks.
The scope of the information security management system (ISMS) Alohi has gotten certified for is to ensure the protection of our customers’ data and applies to all stakeholder relationships with Alohi, including the people, processes and tools required to develop, support and maintain the services and products provided by Alohi.
Our SOC 2 report is a detailed level of controls-based assurance, covering the Trust Service Criteria for Security (TSP Section 100). It also includes a thorough description of Alohi’s processes and the numerous controls in place to protect your data. This report was carried out by the globally known and reputable EY CertifyPoint and it certifies the effective design and operation of our controls.
We understand the sensitivities and the seriousness associated with keeping patient healthcare data private and secure and that’s why we have looked into details of all administrative, physical and technical safeguard specifications with fine precision, mitigating all HIPAA requirements to safeguard our customers’ data, individuals’ protected health information (PHI) and electronic protected health information (ePHI).
We maintain compliance with the current version of the PCI DSS to ensure safe and secure handling of customers’ payment card information, and rigorous data security standards to ensure that our customer’s credit card information remains safe and secure.
We do not store any Credit Card information only anonymized tokens, as provided by these services. We rely on Stripe and Paypal to process payments on our Web and Android applications, purchases within our iOS application are made available via Apple’s in-app purchase mechanism.
In addition to all the security measures we take to ensure the highest level of security and privacy for all our users and their data, we provide the administrators of our Enterprise plans certain security tools and features to have more controls over the protection of their data. Access Logging: Detailed access logs are available both to users and administrators of Enterprise teams. We log every time an account signs in, noting the type of device used and the IP address of the connection.
Currently, Advanced Security Controls are only available for FAX.PLUS Enterprise plans.
All user data is protected by the Swiss Federal Data Protection Act (DPA) and the Swiss Federal Data Protection Ordinance (DPO) which offers some of the strongest privacy protection in the world for both individuals and corporations. As Alohi (SIGN.PLUS and FAX.PLUS) is outside of US and EU jurisdiction, only a court order from the Cantonal Court of Geneva or the Swiss Federal Supreme Court can compel us to release the extremely limited user information we have.
Our number one priority is the privacy and security of our customers’ data. To excel at this, we welcome the vital role that security researchers play in keeping systems and data safe. To encourage the responsible reporting of potential security vulnerabilities, the security team is committed to working with the community to verify, reproduce and respond to legitimate reports. If you believe you’ve identified a potential security vulnerability, please report it to us right away. We will investigate all legitimate reports and do our best to quickly address the problems.
You can submit your report through our HackerOne Vulnerability Disclosure Program.