We value our customers' trust in keeping their data secure with SplashID Safe.

Application Security

SplashID Safe applications are OWASP TOP 10, SANS TOP 25 and CWE (industry best security standard) compliant. Application layer attacks are handled by secure programming techniques and hand-picked security packages. Our developers are security trained and follow a stringent security checklist which needs to be verified before we release any new update or product version. Our dedicated team of security professionals uses Netsparker, Burpsuite, Acunetix and manual hack exploits to ensure no common vulnerabilities are missed and new attacks are covered. All SplashID Safe product versions are developed and tested keeping cross data leakage, privacy and security as priorities. Additional security controls like dual authentication, secret key, user role mapping are integrated at the web application layer and on server side. Our stringent application security policy ensures all SplashID Safe versions are tested periodically and also with every code change.

Network Security

Apart from firewall security, SplashID Safe ensures every request is encrypted over the network layer. Every request is sent over high strength SSL connection (256 bit cipher). In addition, SplashID Safe encrypts every record at the transport and application layer. Our dedicated security team performs network scans regularly using Nessus, Qualys and NMAP to detect network related vulnerability.

Server Security

SplashID Safe's servers are security hardened on Rackspace across a multiple tier architecture. Our servers have are regularly checked for malware, rootkits and software updates. The servers are backed up on a daily basis.

Advanced Security Features

Local Only records - Cloud Services users can now designate any record in SplashID Safe as Local Only. This means the record stays local on the device selected and does not sync (in an encrypted state) to the cloud server like other records. If the selected record is already on the web app or on any other devices running SplashID Safe, it will get deleted from those apps. At any point, you can undo the Local Only setting, and the record would then sync back to the cloud server and appear on all your devices.

2-Factor Authentication - 2-factor Authentication is recommended to increase the security of your SplashID Safe account. The 2nd factor is an additional code that needs to be entered when your SplashID Safe account is accessed from a new desktop, device or browser. One you confirm access is authorized with the additional code, you will no longer need to enter the 2nd factor code when you log in from that device or browser.

Share Securely - Share SplashID Safe records securely with anyone, whether they use SplashID Safe or not. Sharing with a SplashID Safe Cloud Services user prompts the receiver to import the records into their account. Sharing with a WiFi sync or Local storage user or with a non-SplashID Safe user sends a secure link over email from which the records can be viewed. The shared records will be deleted once viewed and the link is valid only for 24 hours. Records are password protected, and you have the option of including that password in the email that is sent, or don't include it and share the password verbally for increased security.

Security Team Hall of Fame

Our mission with SplashID Safe is keeping customer information confidential - your information needs to be kept your own, secure and private. Over the past decade, we have worked with our community of users and with security researchers to improve SplashID Safe's security. We recognize security is an ongoing process, and we need to constantly evolve to meet new threats. We appreciate all security concerns reported to us, and we value feedback.

If you feel you have found a potential security issue with SplashID Safe, please let us know. When reporting potential issues, please be as thorough as you can in providing enough detail so that we can recreate your finding. Email us directly. We will respond as soon as we can. Once you have submitted a security concern, we may follow up with you to get additional information. Once we have validated a concern and implemented a fix, we will thank you for your assistance and also recognize you if you would like.

SplashData would like to thank the following security experts who have contributed to helping improve SplashID Safe's security.

  • Agastya Rudroj
  • Aleksandr Vasilyev
  • Anagha
  • Andrea Possemato
  • Atulkumar Hariba Shedage
  • Bhaskar Borman
  • Blessen Thomas
  • Chandroliya Ravi
  • Clifford Trigo
  • Danish Tariq
  • Devesh Bhatt
  • Garry D. Bacalso
  • Ghanashyam Sreehari
  • Gineesh George
  • Hakimuddin Gheewala
  • Hardik Parekh
  • Hardik Tailor
  • Hari Krishnan
  • Inaki Rodriguez
  • Jatin Mangani
  • Jay Vardhan
  • Jeevan Dahake
  • Kamal Singh
  • Kamil Sevi
  • Karthickumar Ramanathapuram
  • Kesav Viswanath
  • Kiran Karnad
  • Lalit Kumar
  • Le FeOx
  • Lyon Yang
  • Manish Bhattacharya
  • Mathias Karlsson
  • Maulik Shah
  • Meris Bihorac
  • Michael Smith
  • Mihir Mistry
  • Monendra Sahu
  • Muhammad Talha Khan
  • Muhammad Waqar
  • Nailo Mimo
  • Nakul Mohan
  • Nilesh K
  • Nitin Goplani
  • Osama Ansari
  • Osama Mahmood
  • Osanda Malith Jayathissa
  • Paras Pilani
  • Parichay Rai
  • Paul Seekamp
  • Prayas Kulshrestha
  • Rafael Pablos
  • Ranjan Kathuria
  • Ravindra Singh Rathore
  • S Venkatesh
  • Sachin Kediyal
  • Salman Khan
  • Sander Van der Borght
  • Shpend Kurtishaj
  • Shubham Gupta
  • Siddhesh Gawde
  • Sriram Shyam
  • Stefano Ivan Stinga
  • Surya Subhash
  • Swapnil A. Thaware
  • Tony Trummer
  • Vinoth Kumar
  • Vishal Sonar

Frequently Asked Questions

Unique among password managers, SplashID Safe offers you the choice of syncing and storing data using secure cloud services, your own local Wi-Fi network, or local storage on your device.
As long as you have a secure master password for SplashID Safe, your data is very safe. SplashID Safe applications on mobile devices and for Windows and Mac only allow a small number of incorrect password attempts before all records locally are erased.
Rackspace, a well established leader in secure cloud services.
No, there is no "forgot password" feature in SplashID Safe, only a password hint if you choose to set one. We have no access to user passwords -- we don't know what they are. We don't enable password deletion remotely or by us. Password reset is also not possible.
We have deployed open source WAF on production servers and have regular application security, network security and server security exercises conducted on all our supported platforms. We have a multiple tier architecture with clear segregation of application and database servers.
We have designed SplashID Safe services to have uptime commensurate with other critical web services. Even in the case of an offline scenario, SplashID Safe client applications for mobile and desktop clients offer local access.
We use a combination of encryption algorithms in our designs, including 256 bit AES and 128 bit Rijndael.
Yes, we salt user emails and passwords.
Once you log into your account, you can delete all your records or your entire account and this will erase all data stored on our server and then the backup.
Yes, every page is sent over SSL connection. Preferred cipher is 256 bit for SSL connection. After user session is ended, all binded data is erased from web server. No data is cached in web server or in session variables.
We welcome analyses and reports from security experts and researchers. Please visit this page to learn more about submitting a report and becoming a member of our valued security community.
SplashID Safe is not affected by Heartbleed! Since SplashID Cloud Services is run on Microsoft IIS servers, and not Linux or Unix servers, it does not employ the Open SSL library that contains the Heartbleed vulnerability. That said, this is a widely used library that will affect many of the websites you login to, and this vulnerability has existed for some time, so we recommend that you change passwords on all sensitive sites at this time to be safe. You can use the password generator feature in SplashID Safe to generate strong passwords and save them in your SplashID records for easy (and secure!) recall. For more info on Heartbleed, click here

About SplashData

SplashData has been a leading provider of security applications and services for over 10 years. The company's secure password and record management solution SplashID Safe has over 1 million individual users worldwide as well as hundreds of business and enterprise clients. SplashData was founded in 2000 and is based in Los Gatos, CA.

Contact us