AODocs Data Security Statement

Many customers trust AODocs with their business critical documents and we take this responsibility very seriously. Meeting the highest security and privacy standards is our top priority. To achieve this, AODocs has established comprehensive and rigorous software technical safeguards as well as security assurance processes and procedures that demonstrate the integrity of its cloud software.

 

Proven technology with security at its core

In order to provide you with best in class security, privacy, and compliance controls, we undergo independent third-party audits regularly. We are SOC 2 Type II certified. SOC (System and Organization Controls) are audits designed for service providers storing consumer data in the cloud. It verifies that we have appropriate protection, procedures and policies in place for security, availability, processing, confidentiality, integrity and privacy of customer data. SOC auditors regularly assess our platform, infrastructure, and operations and conduct penetration and vulnerability tests on a regular basis. We also review new features for security and privacy impact before release to improve privacy by design.

Our serverless architecture means that we do not run our own network (routers, load balancers, DNS servers) or physical servers. We chose to partner with Google and rely on their Platform as a Service: Google Cloud Platform (GCP).

All our applications operate on GCP as their back end using mainly the following services:

  • App Engine (serverless application engine)
  • Cloud Datastore (NoSQL document database built for automatic scaling, high performance)
  • Cloud Storage (worldwide, extendable, highly durable object storage)
  • BigQuery (serverless, highly scalable cloud data warehouse)
  • StackDriver (logging, monitoring and alerting)
  • PubSub (fully-managed real-time messaging service)

 

Google Cloud Platform provides state of the art services with security at its core. All servers are updated on a regular basis to ensure we have the latest security patches installed. All networks are protected from intrusions using advanced defense mechanisms.

 

Your data belongs to you

Your data belongs to you, not to us, and we will treat it that way. AODocs will not use your documents or their content for any purpose other than providing you the service you subscribed for. We don’t sell or re-use your data.

We do not store the content of the documents managed by AODocs. These documents and their content remain stored in your Google Drive. AODocs only stores information that is necessary for it to function, such as the name and email address of the user, AODocs audit logs, title of documents managed by AODocs, as well as their properties (such as creation date, creator, last user, comments), description, permissions and URL, and email address of their owner. The table below explains where we store this data and for how long:

Type of Customer DataStorage location during the duration of your subscriptionRetention policy
Document properties (metadata), Configuration Data and Google Workspace DirectoryIn Google Cloud Datastore (part of GCP), with one dedicated namespace for each AODocs customer. AODocs performs automated backup of this data. The content of the backup is stored into Google Cloud Storage (GCS).This data is deleted from Google Cloud Datastore promptly after termination of the Customer contract. Archive retention of the back-ups from GCS: 5 years.
AODocs Audit LogsAudit Logs are stored in Google Cloud Datastore. AODocs performs automated backup of this data. The content of the backup is stored into Google Cloud BigQuery.Archive retention of the back-ups from Google Cloud Big Query: 5 years.
Customer Drive Content (content of your Drive files)Never Stored by AODocs, stored in your Google WorkspaceDefined by the Customer based on Google Workspace configuration.

 

You can send us a request to remove some or all of your personal data from our database, and we will permanently do so if one of the grounds set out in GDPR Article 17 applies (e.g. the personal data are no longer necessary in relation to the purposes for which they were collected or otherwise processed). Note however that deleting some or all of this data may interrupt AODocs functionalities.

 

Our team has a strong security culture

Each team member undergoes an extensive background check, to the extent permissible by applicable local law, as well as comprehensive training on data security and privacy protocols and receives yearly training on the topics of data privacy and security. Our staff does not access any of your data unless you request assistance for support purposes. All information, data and documents exchanged with our support staff in this context is subject to strict confidentiality procedures and will not be disclosed.

 

Data Encryption

We use bank level encryption from A – Z. Whenever you send or retrieve data from the app, the communication is always secured through HTTPS encryption.

Next to encrypting data in transit, we also encrypt all data at rest. Our databases are encrypted, from the moment we receive your data until we delete it.

Your login details are one-way hashed using a strong hashing algorithm.

Type of Customer DataEncryption level
Your Google Drive content

Your drive Content is encrypted at rest and in transit as described in this article from Google Cloud Help: https://support.google.com/googlecloud/answer/6056693?hl=en

If you want your Drive Content to be additionally encrypted and to manage the encryption keys, you can use third party software such as Virtru or Tanker.

Data stored in Google Cloud Platform (including Google Cloud Datastore and Google Cloud Storage)

Data stored in Google Cloud Platform is encrypted at rest and in transit.For encryption at rest, AODocs has chosen to entirely rely on Google Cloud Platform native “Encryption by default” option. Data at Google is broken up into encrypted chunks for storage using the Advanced Encryption Standard (AES). Google is entirely managing the encryption keys, and key encryption keys.

For encryption in transit, since AODocs architecture is entirely relying on APIs, even from within our backend, all the data transit is performed over encrypted connections. By default, we rely on Google’s implementation of Transport Layer Security (TLS) which enforces TLS 1.3 (when possible) or QUIC.

Additionally, we enforce Strict-Transport-Security in all responses that our applications send.

 

Subprocessors

While we conduct the majority of data processing activities required to provide AODocs ourselves, we do engage some third-party subprocessors to assist in supporting these services. Each subprocessor goes through a rigorous selection process to ensure it has the required technical expertise and can deliver the appropriate level of security and privacy. We use Google Inc. for hosting services, Aliz for development services, Sendgrid (Twilio) for automated emails for workflow validation and Accusoft Corporation for embedded documents previsualization services (PrizmdocTM). Altirnao has data processing agreements in place with each of these subprocessors.

 

Compliance with CCPA and GDPR

Privacy has always been the foundation of AODocs approach to product development and business, and we continuously evaluate all our practices in an effort to safeguard your personal information as effectively as possible. In any case, you always remain in full control of any data we process.

GDPR: We have taken necessary steps to be within and sometimes exceed the compliance standards of the European Union’s General Data Protection Regulation (GDPR).

  • When AODocs acts as a Data Controller (e.g. for your contact data), we collect, process and use personal data in a fair, transparent and secure way in accordance with our Privacy Policy.
  • When AODocs acts as a Data Processor (e.g. for your Google Drive content, AODocs configuration data, properties and audit logs), we process data on your behalf only for the purpose of providing you the AODocs application and always in accordance with our Data Processing Agreement. This processing is limited exclusively to the automatic processing carried out by the application and does not include any manual processing by our staff members, except with respect to professional services or technical support when you request our assistance. Our Data Processing Agreement enacts standard contractual clauses set forth by the European Commission to establish a legal basis for cross-border data transfers from the EU.

 

Processing of your Data is limited to the duration of your contract. Therefore, upon expiration of your subscription, AODocs will delete all content hosted by AODocs promptly (save for certain backup copies of such content maintained by Altirnao’s cloud providers that may require some additional time to be deleted). AODocs will retain one (1) archival copy of properties and audit log information solely for computer back-up systems as required by applicable law and pursuant to AODocs retention policies. We do not delete the content of your Drive, we simply stop processing it and we remove all access we had on such content.

CCPA: our Data Processing Agreement includes a CCPA notice which makes clear that to the extent the CCPA applies to the collection, retention, use, and disclosure of your Personally Identifiable Information, AODocs will never (a) have, derive or exercise any rights or benefits regarding customer personal information, (b) sell Customer Personal Information, or (c) collect, retain, share or use Customer Personal Information except as necessary for the sole purpose of providing you the AODocs application or performing support or professional services connected therewith if applicable or as otherwise permitted under the CCPA.

 

Compliance with HIPAA

To the extent that you are subject to the U.S. Health Insurance Portability and Accountability Act (HIPAA) rules and AODocs is your Business Associate, AODocs makes a Business Associate Agreement available to you as an addendum to license agreements. Please request one by writing at legal@aodocs.com.