iCapture Security Statement

Security Statement

Thousands of users have entrusted iCapture with their data, and we make it a priority to take our users’ security and privacy concerns seriously. Your data is yours. You control your data; how you release it or use it is up to you. We don’t sell your information to anyone and we don’t use the captured data you collect for any purpose other than to provide service to you.  We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner.

 

Application and User Security

  • SSL/TLS Encryption: All communications with the iCapture BackOffice website are sent over SSL/TLS connections. Secure Sockets Layer (SSL) and Transport Layer Security (TLS) technology (the successor technology to SSL) protect communications by using both server authentication and data encryption. This ensures that user data in transit is safe, secure, and available only to intended recipients.

  • User Authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. iCapture issues a session cookie only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user.

  • User Passwords: User application passwords have minimum complexity requirements. Passwords are hashed.

  • Data Portability: iCapture enables you to export your data from our system so that you can back it up, or use it with other applications.

Physical Security

  • Data Centers: Our information systems infrastructure (servers, networking equipment, etc.) is collocated at a third party SSAE16 / ISAE 3402 Type II, ISO 27001 data center.

  • Data Center Security: Our data centers are staffed and surveilled 24/7. Access is secured by biometrics and audited by an independent firm.

  • Environmental Controls: N+1 redundant HVAC (Heating Ventilation Air Conditioning) system ensures a duplicate system immediately comes online in the event of an HVAC system failure.  Advanced fire suppression systems in place.

  • Location: All user data is stored on servers located in the United States.

Availability

  • Connectivity: Fully redundant IP network connections from 9 independent providers for multiple redundancies.

  • Power: N+1 redundant UPS power subsystem, with instantaneous failover if the primary UPS fails. If an extended utility power outage occurs, data center’s routinely tested, onsite diesel generators can run indefinitely

  • Uptime: Continuous uptime monitoring, with immediate escalation to iCapture staff for any downtime.

Network Security

  • Scans: Regular security scans are performed using industry standard software.

  • Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.

  • Firewall: Firewall restricts access to all ports except those critical for operation.

  • DDoS: Distributed Denial of Service (DDoS) mitigation services in place.

  • Patching: Latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.

  • Access Control: Secure VPN, multifactor authentication, and role-based access is enforced for systems management by authorized engineering staff.

  • Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.

Storage Security

  • Data at Rest: Strong encryption of sensitive data archived data.

  • Backup Frequency: Strong encryption backups occur hourly internally and daily offsite.

  • Production Redundancy: Data stored on a RAID 10 arrays.

Organizational & Administrative Security

  • Employee Screening: We perform background screening on all employees.

  • Service Providers: No external entities deal directly with user data.

  • Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.

Handling of Security Breaches

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if iCapture learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under various state and federal laws and regulation, as well as any industry rules or standards that we adhere to.

Your Responsibilities

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems.  This includes passwords on devices and careful storage of downloaded data.

Custom Requests

Due to the number of customers that use our service, specific security questions or custom security forms can only be addressed for customers purchasing a certain volume of user accounts within a iCapture Enterprise subscription. If your company has a large number of potential or existing users and is interested in exploring such arrangements, please contact us.