Share

Filevine Security

blank

by Ryan Anderson

on 23 July, 2015

At Filevine, we take data security very seriously. In fact, we believe we are more secure than any other case management software or project management software system out there today, and we use systems similar to those found at international banks and billion-dollar investment firms. Why do we do this? We employ multiple, powerful security measures to ensure that your data and your client data remains safe. For the computer nerds on your team, here’s a summary of how we approach security.

Security Features in Filevine

Robust Password Security: When creating or updating a password, Filevine requires a complex password – at least eight characters or longer, and must include a number, and an upper and lower case letter.

Data Traffic Encryption: Filevine encrypts all data traffic using HTTPS. HTTPS, utilizing TLS (Transport Layer Security), encrypts all traffic between your browser and the Filevine website. This means that even if the traffic is intercepted or “snooped” on it cannot be read.

Server-Side Verification: Filevine validates all data server side. It is critical to validate data server side because manipulated data coming from the client side could potentially allow unauthorized levels of access or inject harmful data.

Secured Database: Filevine limits access to the most critical resources, like the client database, by not putting them on the public Internet. Filevine only allows access to critical resources from a whitelist of Filevine’s web servers. This means that when a user sends a request to the web server to access client data, the web server then sends that request to the database server. If the computer that sends the request to the database server is not from that whitelist, the database server will reject the request. This provides an additional layer of security for the client data.

Redundant Data Backup: Filevine conducts regular data backups of all client data. These backups are sent to multiple data centers. Data centers are secure, offsite facilities with redundant power supply and cooling systems, providing extra stability and redundancy for keeping systems online and accessible. Sending the data to multiple data centers allows Filevine to remain consistently online and retain client data, even if an issue occurs at one specific site.

Secured Physical Servers: The number of people with access to the physical servers is limited to data center staff who have been trained and vetted. Data centers are locked and guarded 24/7 and even Filevine staff can not enter.

Up-to-Date Server Software: Filevine keeps servers up-to-date with the latest security updates to protect against new and emerging security threats.

Restricted Access to Production Data: Access to system production data is restricted to only a few high level Filevine staff members. This prevents unnecessary access to sensitive client data.

Secure Credit Card Data Storage: Credit card info is sent from the browser directly to a certified outside store which meets all regulatory requirements for handling financial data. Credit card data never even touches Filevine servers.

Secure Document Download: Each time an authorized user requests a document download, Filevine checks the user’s permissions. Once confirmed, Filevine generates a unique one-time use URL for each download, only accessible for a brief period of time. This ensures that documents aren’t shared with unauthorized users.

Secure Document Upload: Filevine utilizes the web standard CORS (cross-origin resource sharing) to ensure uploads only originate from Filevine and cannot be uploaded from other browsers or web pages.

Filevine protects against malicious attacks, including:

Injection Attack: An injection attack is when user data contains potentially dangerous code that is executed on the server. Filevine mitigates this by either scrubbing the user data or isolating it in code so it is not actively evaluated.

Cross Site Request Forgery (CSRF): CSRF is a type of malicious exploit where a separate website issues unauthorized commands or accesses data by pretending to be a trusted user. Filevine prevents this by not allowing API calls from another browser tab.

Cross Site Scripting (XSS): An XSS attack inserts script into a web page in order to use that page to perform malicious actions. Filevine protects from this through client side validation.

Man in the Middle Attack: A man in the middle attack occurs when an attacker is able to intercept traffic between two parties and pretend to be one or both, controlling the data between the two communicating parties. Filevine protects against this by using HTTPS to encrypt traffic.