Security Measures

Information security is of paramount importance to Docmosis.  We continuously develop our security systems, policies and procedures to meet industry best practice.

Below is a list of technical and organisational measures employed by Docmosis in the course of providing our Cloud Service.

1. Physical Security

  • Processing occurs entirely on Amazon Web Services (AWS) infrastructure. This provides comprehensive physical security and we take full advantage of the AWS facilities for supporting the non-physical system security.
  • The Company premises has physical access control systems and is protected after hours by an externally monitored security system. The local computer network has multiple layers of network devices to protect against external threats.

2. System Security

  • Client accesses the Services via self-managed passwords (restrictions on minimum length and special characters) with monitoring and notifications to Company of break-in attempts.
  • API access requires a unique access key which Client can rotate and expire.
  • Client actions are audited providing the basis for investigation of incident management.
  • Employee access to cloud infrastructure is controlled by two factor authentication.

3. Security of Data

  • Transport Encryption - All communication with the Services is SSL encrypted.
  • At Rest Encryption - Templates and other uploaded content and are encrypted at rest.
  • “Short Memory" Data Retention – Client Personal Data and the generated documents are delivered then automatically and immediately deleted.
  • Email Security - email is dispatched using transport layer security (SMTP TLS).
  • Processing of data and generated documents is geographically bound (either USA or EEA) within the region selected by the Client.
  • Data (templates and other uploaded content) are stored in areas with role-based access and access by employees requires interaction with access-control systems.

4. Availability and Resilience

  • High Availability Architecture - Load balanced, high-performance, redundant and monitored 24/7.
  • Monitoring – Company uses publicly visible third party systems to monitor the availability and performance of Services. Key API end points are monitored every 60 seconds with deep-tests checking the contents of the generated test documents. Historical uptime results can be viewed here:
  • Strong Software Design - The service is engineered to survive multiple points of failure, degrade in a predictable manner and remain as operational as possible, even in the event of core systems failures.
  • Backed up - Multiple independent backup systems in place providing case-specific recovery options.
  • Version Controlled – Templates and other uploaded content are version controlled and can be reverted and restored on an as-needs basis.
  • Service Status – Minor software updates are performed as needed on the service. Status notifications are available here:
  • Clearly established Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).

5. Regular Evaluation and Assessment

  • Company continually evaluates the security of the Services to determine whether additional or different security measures are required.
  • Company engages an independent third-party to perform penetration testing of the Services.

6. Staff Practices

  • Employee access to infrastructure and data is limited to that necessary to execute the assigned roles. Data is stored in areas with role-based access.
  • Employees are required to read and sign a confidentiality agreement which explains the importance and sensitivity of Client Personal Data.
  • The Company provides ongoing training to employees on the importance of security and their compliance with the Company Password Policy and Acceptable Use of IT Policy.