Placing your data in the hands of a third-party provider requires robust security precautions. Safeguarding your data’s security and integrity is paramount to us, and we have designed our services with this in mind. We regularly conduct risk assessments, which guide the implementation of security measures and controls to ensure risks are minimized to an acceptable degree.
This page outlines the technologies and processes we use to protect your data and provides insight into our security culture. While we strive to be clear and legally precise, this sometimes means the explanations may not be the simplest. If anything is unclear, feel free to reach out through the
Contact Support page.
Security at DocEvent.io
DocEvent.io is a secure file transfer and routing platform designed with an easy-to-use interface and a strong focus on data security. The confidentiality, integrity, and availability of your data are critically important to us, and our services are built around this principle.
Our goal is to ensure our clients’ security while using DocEvent.io, and to assist them in achieving certifications and compliance with relevant regulations through our platform.
To uphold this commitment, our Simple FTP service is designed so that, by default, we are unable to view your data, whether in transfer or at rest. This core principle guides everything we do. Additionally, we are in the process of completing and certifying for various international standards to further strengthen our security posture.
Standards and frameworks
PCI DSS
The DocEvent.io platform does not store payment card data. Card details are captured and processed by a PCI DSS Level 1 certified payment provider, so cardholder data never touches our systems.
Because payment card data is handled entirely by our PCI DSS certified provider (currently PCI DSS v4), it is processed in compliance with the Payment Card Industry Data Security Standards, and our provider supports the Strong Customer Authentication requirements of the Revised Directive on Payment Services (PSD2).
OWASP
We adhere to OWASP guidelines in the secure development and testing of our applications.
NIST
We follow the NIST Cybersecurity Framework, which offers a policy framework for computer security guidance. This framework helps us assess and enhance our ability to prevent, detect, and respond to cyber attacks.
FIPS
Where applicable, we use FIPS 140-validated cryptographic modules — for example, AWS FIPS-validated endpoints and services — in systems that involve cryptographic methods.
Security monitoring and auditing
DocEvent.io collects application, infrastructure, and system logs in a centrally managed log repository for monitoring, troubleshooting, security reviews, and analysis by authorised personnel. Logs are retained in compliance with regulatory requirements to support investigations in the event of a security incident.
Security organisation
DocEvent.io assigns clear responsibility and accountability for information security administration. Those responsible oversee risk assessment, the development of policies, standards and procedures, testing, and security reporting.
Senior management is actively involved in information security governance, including ensuring compliance with our security principles, defining security and business continuity initiatives, and overseeing the security of both the company and the platform.
Physical security
DocEvent.io’s infrastructure is hosted by Amazon Web Services (AWS), with our main servers located in the us-east-1, ap-southeast-2, and eu-west-1 regions. Our primary authentication for web login is handled by a Cognito service in AWS us-east-1.
As of 2019, DocEvent.io operates as a 100% remote company worldwide, making AWS data centres our only physical premises.
All physical security measures for AWS facilities are governed by the AWS Shared Responsibility Model.
Segregation levels
We segregate access to our data across different levels:
- Tenant level: Multi-tenant infrastructure where resources are shared among tenants.
- Account level: We use separate AWS accounts within a single AWS Organization — including a management (owner) account, production and development — so environments are isolated from one another. Our development account also serves as our test environment, and application development itself is carried out on local developer machines.
- AWS resource level: Data is segmented across various clusters of databases for metadata and configuration storage, e.g. Elasticsearch.
- Application level: Customers are logically segmented within the application layer by a common API authentication endpoint service, used for logging and continuity between all services.
Network security
Each of our environments is hosted in a separate AWS account within our AWS Organization. Access to servers is tightly controlled by security groups.
To provide an additional layer of internal and external network security, we have implemented state-of-the-art perimeter controls, including Firewalls, Intrusion Detection Systems, Web Application Firewalls, and other advanced security measures at the edge locations.
Access to our servers is strictly limited.
Access control
Access to DocEvent.io resources is only allowed through secure connectivity methods such as AWS SSM, along with multi-factor authentication. We adhere to the principle of least privilege, ensuring that every access is audited, tracked, and monitored so that employees only have the permissions necessary to perform their duties.
This approach ensures that employees can only access DocEvent.io systems via an extra-secure connection. When someone leaves the company, their access is immediately revoked.
Access to customer data by DocEvent.io
Our Simple FTP Service is designed so that we are not able to view customer data as it is transferred to the customer’s chosen backend servers. It is designed so as to be able to pipe data from an incoming SFTP or FTPS connection directly to the endpoint of the customer’s choice, e.g. Azure, AWS, GCS or another S3-compatible service.
Our Channels Service stores data in encrypted S3 buckets that are not publicly accessible and adhere to our network security and access control principles. We remove data immediately once:
- The file transferred reaches all destinations that are required;
- The file transfer fails after a predefined set of retries; or
- The file is older than 1 day.
Keys to access any customer buckets, or customer services / endpoints including any private configuration information and passwords, are encrypted using AWS KMS. The service is designed so that no staff have access to the keys, and are unable to use the keys for decryption.
DocEvent.io stores personally identifiable information (PII) of the following:
- From our customers: This includes basic identification and contact data, as well as billing information, necessary to provide our services, customer support, and billing. Credit card information or bank account details are handled by a PCI DSS certified third party.
Security policies and awareness
We maintain a comprehensive set of information security policies aligned with the ISO 27001 standard to ensure compliance and to guide our employees and contractors in making sound security decisions. These policies cover a range of areas, including password management, data protection and classification, secure communications, continuity and contingency planning, acceptable use of workstations and mobile devices, and backup procedures, among others. We review and update these policies at least annually or whenever a significant change occurs.
All employees and contractors are bound by non-disclosure agreements, and we provide ongoing security awareness training throughout the company. Additionally, all service providers and contractors who process any personal data you have entrusted to us are required to sign data processing agreements in accordance with European data protection laws, ensuring an adequate level of protection.
This ensures that everyone at DocEvent.io adheres to our internal security guidelines, receives regular training on them, and operates under policies that are consistently updated.
Penetration tests
As part of our security strategy, we engage independent security firms to conduct penetration tests on our platform, at least annually and after significant changes. Vulnerabilities and findings are ranked by severity and prioritised for resolution accordingly.
This means we bring in security experts to rigorously test the boundaries of our security infrastructure, helping us identify and address any potential weaknesses.
Vulnerability assessments and penetration tests are integral to our secure development lifecycle (S-SDLC) and cybersecurity control processes:
- Automated vulnerability scanning of internet-facing web services is performed on a regular basis.
- Intrusion tests and expert security reviews are performed to identify nonconformities with security requirements and evaluate robustness against these types of attacks.
Data protection measures
Once your information enters DocEvent.io’s systems, it is secured with multiple layers of encryption and access controls. For encrypted transfer protocols (SFTP, FTPS and HTTPS), we encrypt your data in transit using secure TLS cryptographic protocols (TLS 1.2 & TLS 1.3), including within the virtual private cloud at AWS. Data at rest, including backups, is encrypted using the Advanced Encryption Standard (AES) with a 256-bit key.
The one exception is if you choose to use unencrypted (plain) FTP: in that case the connection between you and our systems is not encrypted, so your data remains unencrypted only until it reaches our systems. This is a choice you make when configuring your connection — we recommend SFTP, FTPS or HTTPS, which are encrypted in transit. Once your data reaches our systems it is protected as described here.
Additionally, all workstations and devices used by DocEvent.io are fully encrypted to ensure the confidentiality of the information they hold.
Data retention
Customer data is retained for as long as necessary based on the purposes for which it was collected and in accordance with applicable laws. Additionally, certain data may be legally required to be kept indefinitely. However, if you wish to have your data completely removed from the DocEvent.io platform, you can request deletion at any time through our standardized process and procedure by contacting support@docevent.io.
DocEvent.io is designed to be both scalable and fault-tolerant. If one machine fails, another is immediately ready to take over. This redundancy is built into all levels of the platform.
In line with AWS best practices, we utilize a Multi-Availability Zone architecture. If an entire Availability Zone fails, the remaining machines in the functioning zones can continue to run the entire service.
In the event of a failure in one region, our service will remain available in all other regions.
We also maintain redundant backups of critical data, which are transferred to a separate AWS location and account to ensure business continuity in the event of a disaster. Backup retention is set to 30 days. Our snapshots are executed once every 4 hours. In the event of a critical disaster where a restore is necessary, all data from the previous snapshot will be restored.
DocEvent.io implements various integrity security controls across its services and servers to ensure the quality, accuracy, and completeness of data throughout its entire lifecycle.
Asset management
DocEvent.io maintains an asset management policy that includes the identification, classification, retention, and disposal of information and assets.
DocEvent.io devices are equipped with full disk encryption and up-to-date antivirus software that reports to a centralised control system, utilising real-time, scanless monitoring technology.
Access to DocEvent.io devices is secured by multi-factor authentication (MFA) and Mobile Device Management (MDM) technologies, providing an additional layer of security. In the case of a disaster, only DocEvent.io and verified devices are permitted to access corporate networks — however, in general day-to-day business, no access is granted to any device, whether it is within our assets or not.
Information security incident management
DocEvent.io has security incident response policies and procedures that comply with Articles 33 and 34 of the GDPR. These policies outline the necessary steps to handle security incidents, including initial response, investigation, and notification in accordance with applicable laws. Additionally, the company has established a Personal Data Breach Notification procedure to notify the relevant supervisory authorities and, where required, applicable US regulators, as well as affected data subjects, in line with GDPR and other data protection regulations.
All suspected or confirmed privacy or data security incidents must be reported following our security policies. DocEvent.io employees who identify a potential incident are responsible for initially classifying its severity based on their assessment. All incidents must be reported as soon as possible after identification, without undue delay.
We are committed to keeping our customers fully informed about any matters relevant to the security of their account and to providing all necessary information to help them meet their own regulatory reporting obligations.
You can communicate with our Security department via support@docevent.io.
Reporting a security vulnerability
We welcome reports from security researchers and members of the public who believe they have found a security vulnerability in DocEvent.io. If you have found an issue, please report it to us at
support@docevent.io (this contact is also published at
/.well-known/security.txt). Where possible, please include enough information for us to reproduce the issue — such as the affected URL or component, a description of the vulnerability, and the steps to reproduce it — and give us a reasonable amount of time to investigate and remediate before any public disclosure.
When conducting security research, we ask that you act in good faith and do not: access, modify, or delete data that does not belong to you; degrade, disrupt, or overload our services (for example, through denial-of-service testing or spam); or violate any applicable law. Please only test against your own account and data.
Safe harbour: we consider security research and vulnerability disclosure conducted in good faith and in accordance with this policy to be authorised. We will not pursue or support legal action against researchers who act in good faith and comply with this policy, and we will work with you to understand and resolve any issue quickly. If in doubt about whether a specific action is permitted, contact us first at support@docevent.io.
Continuity
DocEvent.io has well-defined contingency and continuity plans based on comprehensive risk analysis. In the event of an emergency, these specific contingency plans are designed to ensure the continuation of critical business processes while safeguarding the integrity of data as the organisation operates in emergency mode.
Development
Our development team utilizes secure coding techniques and best practices, with a focus on the OWASP Top Ten, under the supervision of the Security department. Developers receive periodic training in secure practices, starting from their onboarding.
Test and production environments are isolated and separated, both by VPC and by AWS account (our development account doubles as our test environment). All changes undergo thorough reviews for performance, audit, and security considerations before being fully deployed to the production environment. Multiple approvals are required before implementing changes in production to mitigate risks, including those from internal sources. DocEvent.io never uses real data in non-production environments.
Any impact on the service can be monitored at any time on the DocEvent.io
status page.
Virtualisation security
DocEvent.io applications are built using a microservice architecture with a container orchestration system for automatic software deployment, scaling, and management. This architecture is supported by message-based routing between services — the same secure messaging fabric that powers our Channels system — providing secure, monitored service-to-service communication.
DocEvent.io implements controls to secure workloads at various stages — build, deploy, and runtime. These controls include image scanning, securing CI/CD pipelines, secrets management, encryption, observability, and threat detection.
Secret authentication information management
DocEvent.io account holders authenticate through a managed authentication service (AWS Cognito, in the us-east-1 region), which securely stores and hashes their credentials on our behalf. Where DocEvent.io stores service credentials directly — for example, for SFS / SFTP users — passwords are protected using salted bcrypt with a high number of rounds. Plaintext passwords are never stored.
Customers can also sign in using Google single sign-on (SSO) through federated authentication.
Customers can reset their passwords or unlock their accounts using their pre-configured email addresses at any time.
DocEvent.io also provides a two-factor authentication (2FA) mechanism that customers can easily enable.