At SwipedOn, security is a priority!
We understand that the protection and security of our customer data is our most important responsibility. Thousands of companies around the world trust SwipedOn to treat their data with the respect it deserves. We do not take that responsibility lightly, and we're constantly improving our security procedures across the business.
We keep a close eye on the latest data regulations, and in particular the EU General Data Protection Regulations (GDPR). You can find out more on how to use SwipedOn with the GDPR here.
As a Cloud service, we do not host any servers ourselves. We outsource this task to the largest Cloud data storage company in the world: Amazon Web Services (AWS). You can view AWS security information here.
The physical location of our servers are in the United States of America (AWS Ohio region: us-east-2).
The servers we use at AWS are Multi-Tenant. AWS have strict controls to prevent one tenant from accessing another tenant's data.
Our database is continuously versioned for recovery purposes using AWS RDS.
We use AWS Simple Storage Service (S3).
We use S3 for:
- Visitor photos
- Employee photos
- Signed visitor agreements
Our web application (https://secure.swipedon.com) is only accessed via HTTPS and the entire HTTPS web application framework is protected with SSL certification.
Sessions are authenticated with a 23-character security token.
Each iPad has a 6-character randomly generated unique Device Identifier. iPad sessions are authenticated using a security token which is randomly re-activated after a set period of time.
All user passwords are hashed using Bcrypt hashing function. Passwords can only be changed and not retrieved. Our Customer Support staff follows strict policies for the reseting of client passwords.
All SwipedOn staff are required to use the password vault manager 1Password. Staff are required to use 2-Factor authentication where available and we mandate screen locking time-limits of 2 minutes.
We do not store your Credit Card details. We outsource the processing of your payments to Payment Express, a secure PCI compliant company. You can view Payment Express's credentials here:
Segregation of duties
SwipedOn staff do not have access to your data. The exception to this is when our Customer Support team or Engineers need to debug issues or configure your account. In such circumstances, we will only access your data with your express permission.
Our internal Data Protection Policy states that customer data is never to be stored on local machines.
Production and Staging logins are separated between Support and Engineering Teams, meaning Engineers are not able to access Production Data without making a specific request.
SwipedOn works in Offline mode. In the unlikely event of a server outage all data is queued and transferred to our servers on re-connection. This is perfect for making use of our Evacuation Management feature.
Our Cloud-based platform is engineered for redundancy and availability.
Our platform uses load balancing techniques to auto-scale when demand is high.
If you have any further data security questions, please feel free to get in contact with our Data Protection Officer, Ben Scott