Security Information

Overview


LeapFILE implements several layers of security to ensure confidentiality during the file transfer process. Each layer of protection reinforces other layers to create a comprehensive security net that protects data, authenticates users, enforces granular access to information, and automatically produces a detailed audit trail of changes in file custody.


Protection Layer


The first layer of security protects data in custody from unauthorized access. This provides the foundation for controlling access to information by blocking all access points. The LeapFILE service implements the following security measures for protection:


1. Physical Access Control
Physical access to systems containing confidential files is controlled and monitored. The service is housed in state-of-the-art data centers featuring 24x7 guarded access facilities using a wide range of security systems including video camera surveillance and the latest in iris and palm scanning technologies. Further discussion on our data center, Amazon Web Services, is made below.

2. Network Access Control
Network access to systems is highly restricted. The service utilizes firewalls to shield servers from the Internet and restricting access to only HTTP ports. This denies any network-based access to systems that may compromise security.

3. Data Encryption
Data transmissions over any network are always encrypted. Files are uploaded and downloaded from the service using SSL encryption. Data at rest is encrypted at the disk level using the industry standard AES-256 cryptographic algorithm.

4. Data Retention
To limit exposure, the system enforces a strict data retention policy. Each file transfer contains an expiration date ranging from 1 to 14 days based on user preference. If a file is not downloaded before the expiration date, the file is automatically and permanently deleted. If a file is successfully downloaded, the file is automatically and permanently deleted after 8 hours. For more control, users can cancel a file transfer and delete the associated files at any time.

5. Authentication Layer
The next layer of security beyond protection is authentication. This consists of security measures to validate user identity before granting access to protected information. There are two types of users that require authentication: internal users that have LeapFILE accounts and external users that exchange files with internal users.

6. Internal User Authentication
Each internal user is assigned a unique ID and password for authentication. To ensure integrity, passwords are required to be least: 8 characters; one capitalized letter; one lower case letter; AND one number. Stronger passwords can be set at the user’s discretion. In addition, passwords are encrypted to ensure integrity.

7. External User/Receiver Authentication
Instead of traditional ID and password authentication, each file transfer carries its own authentication requirements (link, tracking code, email, access code), which compartmentalizes access and simplifies authentication. To download a file, the receiver must first have the secure download link or the tracking code. This is the first form of ID. To prevent unauthorized users from guessing the ID or secure download link, the receiver must also provide the matching receiver’s email address. This is the second form of ID. At minimum, a receiver must provide at least these two forms of ID to access any download. For even more protection, the sender can also set an access code for each file transfer. This is the third form of ID. The access code can be unique to each transfer or utilize confidential information like an account number known by both the sender and receiver. The access code is also encrypted to ensure integrity.

8. Authorization Layer
The authorization layer works in conjunction with authentication and protection to enforce granular access to information. Each user must authenticate to start a session every time they use the service. The session carries user credentials that are compared against permissions for every request. This enables the service to enforce permissions at the application level for restricting access to authenticated users only.

9. Audit Layer
The audit layer automatically records the time, IP address, and user name for every file download. This is compiled for every file transfer and made available to the user for tracking file custody. The service also automatically sends an email alert to the sender when the file is successfully downloaded.



GDPR Compliance

The GDPR ("General Data Protection Regulation") is a European Union regulation that establishes a new framework for handling and protecting the personal data of EU-based residents. It came into effect on May 25, 2018. LeapFILE meets all the requirements of the GDPR. LeapFILE’s European servers are in a datacenter accredited to certification for ISO 27001. LeapFILE is also compliant with widely-accepted security and privacy standards and regulations, such as SOC 2 and HIPAA. LeapFILE is committed to helping customers become GDPR-compliant!


Security At-A-Glance

LeapFILE implements several layers of security to ensure confidentiality during the file transfer process. Each layer of protection reinforces other layers to create a comprehensive security net that protects data, authenticates users, enforces granular access to information, and automatically produces a detailed audit trail of changes in file custody. Data is always encrypted, end-to-end.

Key GDPR requirements

The GDPR requires organizations to provide more information about the way individuals’ information is used. LeapFILE gives you full control of your access controls that allow administrators to grant, disable or delete user access through the administrator panel. LeapFILE also allows administrators to have full visibility into how information is exchanged with detailed audit logs.


Information Transparency

The GDPR requires organizations to provide more information about the way individuals’ information is used. LeapFILE gives you full control of your access controls that allow administrators to grant, disable or delete user access through the administrator panel. LeapFILE also allows administrators to have full visibility into how information is exchanged with detailed audit logs.


Data Residency

Under the GDPR, “Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.” For customers who wish to enhance their compliance story, LeapFILE offers the option to use European-based infrastructure to satisfy this need. European servers are in a datacenter accredited to certification to ISO 27001.


Data Protection Addendum ("DPA")

To help meet compliance with the GDPR, a Data Processing Addendum is available for all customers. Once signed, customers can provide the DPA to auditors to show that they use LeapFILE in a way that lets them demonstrate their data is being processed in a way that meets their GDPR compliance obligation.


Questions or Additional Information:

If you have questions regarding this Agreement or wish to obtain additional information, please send an e-mail to info@LeapFILE.com.