With thousands of customers depending on our service and millions of end users being served each month, security is essential and a core part of our product. Our focus is on providing a secure, stable and fast platform, in that order.
iPaper and the Customer mutually commit to work together in a professional and respectful manner, dealing with error handling, to minimize implications for the other party.
All of our flipbooks and embeddable scripts come with HTTPS as standard, using the TLS protocol suite narrowed down to the latest recommendable ciphers suites. While some customers choose to use their own subdomains, we require that we issue the certificate, to ensure the overall safety of the platform. All of our certificates are issued by Lets Encrypt.
Passwords used for any iPaper product are currently stored as SHA-1 hashes with unique per-user salts. We do not store the original password in neither plain text nor encrypted format, we only use secure hashes using modern ciphers for passwords with unique per-password salts.
All data is stored in the Amazon Web Services (AWS) cloud in the eu-west-1 (Ireland) region. Relational data are stored on secure dedicated AWS EC2 instances while blob data is stored in AWS S3.
All blob data is delivered through the AWS CloudFront CDN and may traverse other regions on its way to the end user. To protect the content, all blob data is private and protected, whether it's intended for public use or not. Before any blob data can be accessed, it needs a time-limited uniquely crafted and signed policy, created by the iPaper platform on-demand.
We aim to limit the amount of personal data that we store in the iPaper system. As such, IP-addresses of users are only utilized temporarily for analytical purposes (detection of visitor location on a regional basis, fraud and misuse detection), after which only a non-unique part of the IP address will be stored for logging purposes.
As iPaper is not intended for long-term storage of personal data (Pop-up submissions, form replies, shop checkouts, etc.), these kinds of data are automatically deleted after three months, as described in further detail on our GDPR compliance page.
As part of our internal employee training, we run ongoing security awareness campaigns utilizing KnowBe4. This is to ensure all employees are aware of the dangers of phishing, vishing, malicious attachments, etc., as well as how to identify such attacks.
As part of their employment, all iPaper employees are required to sign confidentiality clauses that guarantee the privacy and full confidentiality of any customer data, during as well as after their employment at iPaper.
We utilize unit & system testing extensively as part of our coding practices, to ensure our code is up to standard, also security-wise. All new features are rigorously tested not only from a functionality standpoint, but also from a security standpoint, at all layers.
We run daily automated security tests of our websites, back-ends as well as front-ends, using the Detectify service.
We welcome security testing by our customers to prove our platforms viability and security. Before doing any such tests, please read our guide to penetration testing here.
If you wish to arrange any such testing in the future, please reach out to firstname.lastname@example.org before initiating anything.
While we do our utmost to ensure the platform is fully secure, we realize the value of penetration testing and external security researchers. To support security researchers to perform their research and disclose any identified issues in a responsible manner, we have a Security Disclosure Program.
We take security seriously!