At Envoice, we are committed to protecting the confidentiality, integrity, and availability of our information systems and customer data. We continually improve our security controls and monitor their effectiveness to ensure our customers can trust our solutions.
For any inquiries, you can reach our security team at security@envoice.eu.
Cloud Security
Data Center Physical Security
Facilities
Envoice uses Google Cloud Platform for data center hosting. GCP regularly undergoes independent verification of security, privacy, and compliance controls against the following standards: ISO/IEC 27001, ISO/IEC 27017, SOC 1, SOC 2, SOC 3, PCI DSS, HIPAA, CSA Star, FedRAMP and many others. Additional details are available at: https://cloud.google.com/security/compliance/offerings.
GCP employs robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others. Learn more about Google security..
On-Site Security
GCP implements layered physical security controls to ensure on-site security including vetted security guards, fencing, video monitoring, intrusion detection technology and more.
Network Security
In-house Security Team
Envoice has a dedicated and passionate security and operations team to respond to security alerts and events.
Third-Party Penetration Tests
Third party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation. Reports are available on request with an appropriate NDA in place.
Threat Detection
Envoice leverages threat detection services within GCP to continuously monitor for malicious and unauthorized activity.
Vulnerability Scanning
We perform regular internal scans for vulnerability scanning of infrastructure and applications. Where issues are identified these are tracked until remediation.
DoS Mitigation
Envoice uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize GCP Cloud Armor Adaptive Protection ML-based mechanism to help detect and block Layer 7 DDoS attacks.
Access Control
Access is limited by following the least privilege model required for our staff to carry out their jobs. This is subject to frequent monitoring to ensure compliance. 2FA is required for all production systems.
Encryption
In Transit
Communication with Envoice is encrypted with TLS 1.2 or higher over public networks. We monitor community testing & research in this area and continue to adopt best practices in terms of cipher adoption and TLS configuration.
At Rest
Envoice data is encrypted at rest with industry standard AES-256 encryption. The Google Cloud Platform encrypts customer data stored at rest by default. For more information, please see https://cloud.google.com/docs/security/encryption/default-encryption.
Availability & Continuity
Uptime
Envoice is deployed on public cloud infrastructure. Services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load.
Disaster Recovery
In the event of a major region outage, Envoice has the ability to deploy our application to a new hosting region.
Disaster Recovery deployment is managed by the same configuration management and release processes as our production environment ensuring that all security configurations and controls are applied appropriately.
Application Security
Environment Segregation
Testing, staging and production environments are separated from one another. No customer data is used in any non-production environment.
Data Privacy
Privacy Policy
Envoice’s privacy policy, which describes how we handle data input into Envoice, can be found here. For privacy questions or concerns, please contact our Data Protection Officer (DPO) at dpo@envoice.eu
Third Party Security
Vendor Management
Envoice understands the risks associated with improper vendor management. We evaluate and subject to a supplier onboarding process and steps on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.
Responsible Disclosure
At Envoice, we consider the security of our systems a top priority and Envoice believes that working with a skilled security research community helps improve our security posture.
Disclosure Policy:
- Please note that we currently have a practice of paying symbolic bounties for security bugs. We believe that a responsible disclosure will benefit all parties involved.
- If you believe you have discovered a potential vulnerability, please let us know by emailing security@envoice.eu.
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting/modifying other people’s data. For testing, only use the accounts you own yourself, or for which you have explicit permissions from the account holder.
- Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or third party and include sufficient information to reproduce the vulnerability.
- We recommend you to include the following information when you report a potential security vulnerability: Summary, Severity, URL, Proof-of-Concept steps and evidence such as screenshots or video.
Exclusions:
While researching, we would like to ask you to refrain from the following:
- Denial of Service (DOS) and Distributed Denial of Service (DDOS)
- Spamming
- Social Engineering or phishing of Envoice employees or contractors
- Any attack against Envoice’s physical property or data centers
- Scanning Envoice infrastructure or products using automated vulnerability scanners
Always follow our terms and conditions
Thank you for helping keep Envoice and our users safe!
