SplashID Safe applications are OWASP TOP 10, SANS TOP 25 and CWE (industry best security standard) compliant. Application layer attacks are handled by secure programming techniques and hand-picked security packages. Our developers are security trained and follow a stringent security checklist which needs to be verified before we release any new update or product version. Our dedicated team of security professionals uses Netsparker, Burpsuite, Acunetix and manual hack exploits to ensure no common vulnerabilities are missed and new attacks are covered. All SplashID Safe product versions are developed and tested keeping cross data leakage, privacy and security as priorities. Additional security controls like dual authentication, secret key, user role mapping are integrated at the web application layer and on server side. Our stringent application security policy ensures all SplashID Safe versions are tested periodically and also with every code change.
Apart from firewall security, SplashID Safe ensures every request is encrypted over the network layer. Every request is sent over high strength SSL connection (256 bit cipher). In addition, SplashID Safe encrypts every record at the transport and application layer. Our dedicated security team performs network scans regularly using Nessus, Qualys and NMAP to detect network related vulnerability.
SplashID Safe's servers are security hardened on Rackspace across a multiple tier architecture. Our servers have are regularly checked for malware, rootkits and software updates. The servers are backed up on a daily basis.
Local Only records - Cloud Services users can now designate any record in SplashID Safe as Local Only. This means the record stays local on the device selected and does not sync (in an encrypted state) to the cloud server like other records. If the selected record is already on the web app or on any other devices running SplashID Safe, it will get deleted from those apps. At any point, you can undo the Local Only setting, and the record would then sync back to the cloud server and appear on all your devices.
2-Factor Authentication - 2-factor Authentication is recommended to increase the security of your SplashID Safe account. The 2nd factor is an additional code that needs to be entered when your SplashID Safe account is accessed from a new desktop, device or browser. One you confirm access is authorized with the additional code, you will no longer need to enter the 2nd factor code when you log in from that device or browser.
Share Securely - Share SplashID Safe records securely with anyone, whether they use SplashID Safe or not. Sharing with a SplashID Safe Cloud Services user prompts the receiver to import the records into their account. Sharing with a WiFi sync or Local storage user or with a non-SplashID Safe user sends a secure link over email from which the records can be viewed. The shared records will be deleted once viewed and the link is valid only for 24 hours. Records are password protected, and you have the option of including that password in the email that is sent, or don't include it and share the password verbally for increased security.
Our mission with SplashID Safe is keeping customer information confidential - your information needs to be kept your own, secure and private. Over the past decade, we have worked with our community of users and with security researchers to improve SplashID Safe's security. We recognize security is an ongoing process, and we need to constantly evolve to meet new threats. We appreciate all security concerns reported to us, and we value feedback.
If you feel you have found a potential security issue with SplashID Safe, please let us know. When reporting potential issues, please be as thorough as you can in providing enough detail so that we can recreate your finding. Email us directly. We will respond as soon as we can. Once you have submitted a security concern, we may follow up with you to get additional information. Once we have validated a concern and implemented a fix, we will thank you for your assistance and also recognize you if you would like.
SplashData would like to thank the following security experts who have contributed to helping improve SplashID Safe's security.
SplashData has been a leading provider of security applications and services for over 10 years. The company's secure password and record management solution SplashID Safe has over 1 million individual users worldwide as well as hundreds of business and enterprise clients. SplashData was founded in 2000 and is based in Los Gatos, CA.