Document360 security and infrastructure

Plans supporting the Document360 security and infrastructure

Professional
Business
Enterprise






Security is one of the most important aspects of any SaaS application. As a company specializing in SaaS products, we ensure our offerings align with the latest market standards. Document360 prioritizes data protection, ensuring your information is always secure.

We collaborate with industry-leading partners like Algolia and MongoDB Atlas, who are certified for TLS-standard encryption for data in transit. Microsoft Azure Blob Storage also safeguards your project backups with robust security protocols.


Quick summary - Security and infrastructure

  • Your data is securely stored in a remote database hosted by MongoDB Atlas, utilizing a three-server cluster to ensure zero downtime.

  • Network traffic is encrypted using TLS, and data at rest resides in encrypted storage volumes.

  • Daily, weekly, and monthly backups are maintained for up to one month, enabling quick restoration.

  • Project back-ups are stored in Microsoft Azure Blob Storage across multiple geolocations to maintain data integrity.

  • Our secured API allows data access via authenticated API tokens, ensuring complete control over access permissions.

  • Document360 is hosted on Microsoft Azure Cloud, leveraging its advanced security protocols and compliance standards.

  • Microsoft Azure Cloud offers protection against Distributed denial of service (DDoS) attacks by defending against common network-layer attacks through always-on traffic monitoring and real-time mitigation.

  • The core team is highly technical and understands the importance of security and staying up to date with new technologies. They coordinate with an offshore team to provide the best services for the customers.

For more details on using Document360 APIs, refer to the Document360 API documentation.


Best practices

Here at Kovai.co, we believe that best practices create secure and robust applications. We recommend that Document360 users follow our list of best practices to prevent unexpected data loss or unauthorized access.

List of best practices:

  1. We do not recommend publicly sharing the API key via less-secured networks, as it can result in unauthorized data access. The key can be used to view or exploit your data. In such a case, we recommend deleting the key immediately and creating a new API key for your usage.

For more information, click here.

  1. We recommend giving an API key only the required permissions, as this helps keep the data in safe hands and prevents unauthorized users from modifying it. For example, to view an "example" set of data, the API key only needs the GET method. This does not let users modify the data using the API key.

For more information, click here.

  1. We suggest that the team manager give each user the correct access rights, as most of our customers have a team that has access rights to the documentation. We simplify this by having roles corresponding to a certain access rights level.

For more information, click here.

  1. We recommend that users take advantage of the backup functionalities. The project will be automatically backed up every day at 00:00 UTC. You can also manually back up your project anytime to keep the changes made safe.  Both of these will back up the Settings, Landing Page, Documentation, and Entire Project contents and can be restored at any time to return to a previous version. This process is made available to keep the users in control and to prevent data loss.

For more information, click here.

  1. We recommend you use the option to make the document private if needed. Various customers have different use cases for our product. You might want the documentation to be visible to the public or internal team members. The project owners can make the documentation private in the latter case and make it not visible to the public.

For more information, click here.


Security information of integrations and partners

Algolia - Search partner

  • SOC2 and SOC3 compliant- Algolia follows all SOC 2 best practices to ensure excellence in the AICPA’s five trust service principles. Resulting in securing your data from modern world threats.

  • API servers use HTTPS and TLS (1.0, 1.1, and 1.2), which have an A rating from Qualys SSL labs.

  • Algolia isolates each customer's data in separate applications, preventing leakage and exchange of information from preserving the integrity of your data.

For more information about the security of Algolia Search, visit Algolia's security docs.

MongoDB Atlas - Database service partner

  • Network isolation - MongoDB Atlas dedicated clusters are deployed in a unique Virtual Private Cloud (VPC) with dedicated firewalls. This means that a third party cannot access your private data.

  • MongoDB Atlas undergoes independent verification of platform security, privacy, and compliance controls.

  • End-to-end encryption - All network traffic is encrypted using TLS, and the minimum TLS protocol version can be configured. Encryption for data at rest is stored in encrypted storage volumes.

For more information about the security of MongoDB Atlas, visit MongoDB's security docs.

Azure Blob Storage

  • Encryption in transit - HTTPS ensures data is encrypted during transfer. In contrast, client-side encryption secures data on your device before sending it to the server, where it is decrypted upon arrival.

  • Encryption at rest - Storage-side encryption is always enabled and automatically encrypts storage service data when writing it to Azure Storage. Client-side encryption is also enabled to make the data stored as secure as possible.

  • Advanced threat protection - Provides an additional layer of security to detect unusual behavior and potentially harmful attempts to access and exploit your storage account.

For more information about the security of Microsoft Azure Blob storage, visit Azure security docs.


GDPR compliance

Document360 is fully GDPR compliant. We collect and store only the data required to deliver our services, with explicit customer consent.

For more information about GDPR compliance, visit Document360's GDPR compliance page.


Business continuity and disaster recovery

We have High Availability configured for our web apps and database to ensure business continuity. Multiple nodes run for individual services, so if one goes down, you still get an uninterrupted experience using Document360.

For any possible disaster, our database and data storage are replicated in different geolocations, so your data is always safe with us.

DevOps Team

The product owner defines and reviews a Product roadmap periodically. Security fixes are prioritized and bundled in the earliest possible sprint. Our DevOps sprints are powered by multidisciplinary team members, including the Product Owner, Director of Engineering, Developers, and Quality Assurance.

  • Code Review

The Quality Assurance team tests all changes and establishes criteria for performing code reviews, web vulnerability assessments, and advanced security tests.

  • Quality Assurance

Builds undergo a stringent functionality, performance, stability, and UX tests before they are certified "Good to go.”

  • Version Control

Source code is managed centrally with version controls, and access is restricted based on various teams assigned to specific sprints. Records are maintained for code changes and code check-ins and check-outs.

  • Segregation of Duties

Access to the production resources is restricted to a limited set of users based on the job roles.

Highly Resilient Architecture

The architecture is built with resiliency to ensure the high availability of the product and data.

  • High Availability

We have multiple instances of our services running to ensure the high availability of our services for our customers.

  • Highly Scalable DNS

Route users to the best endpoint based on geo-proximity, latency, health, and other considerations.

  • Data Backup

Cloud snapshots are taken daily and retained, weekly and monthly, and the backups are available for one month for restoration.

  • Incident & Breach Management

Procedures are established for reporting and tracking incidents for timely communication, investigation, and resolution.

  • Azure CDN

We use Azure CDN to make sure our application and customer documentation are served with speed and ensure that they are done from the nearest node.


Help

For more information about Document360's security and infrastructure, contact us (or) book a demo with our experts today.