Is my data secure?

Your data is secure when using Snitch AI.

This article will take you through details on what information is stored, where it's stored, and how it's stored.

NOTE: This article relates to sending your data to our cloud infrastructure. It solely occurs when using the cloud environment (i.e. drag-and-dropping files via the web app), or when using the hybrid environment without specifying your own endpoint. For more details about the different environments, see the Getting Started page. If you are using the hybrid environment with your own endpoint or if you are using a complete isolated version, everything will be executed on your side. Security of your data will therefore be determined by the security of your own network/infrastructure and you can ignore info contained in this article.

Data categories

We separate data into these distinct categories:

  1. Security-critical data (access tokens, connection strings, encryption keys)
  2. User data
  3. Application state data
  4. Login credentials

Security-critical data

This data includes data such as access tokens, connection strings, and encryption keys. This type of data is stored in Azure KeyVault. The application has a registered identity to access these tokens and all accesses are fully audited and logged. This is the most secure data layer.

Key Vault uses HSMs (Hardware Security Modules) to provide an even higher level of encryption for all data stored within it.

User data

This data includes all data that is uploaded to the system by its users, including all files provided for analysis. All data in this category has three layers of encryption:

  • Encryption in transit (TLS 1.2+)
  • Encryption at-rest (AES 256)
  • Application-level encryption (AES 256) using a key-derivation function to generate unique encryption keys for each project. This encryption has four distinct protection vectors that significantly reduce the risk of compromise if any of these vectors end up being vulnerable to an attack.

Application state data

This is the state data that is required for the operation of the system, excluding any data that is covered in the User data category.

Data in this category has two layers of encryption :

  • Encryption in transit (TLS 1.2+)
  • Encryption at-rest (AES 256) 

Login credentials

All user login credentials are stored using industry-recommended best practices.

Data in this category has three layers of protection :

  • Encryption in transit (TLS 1.2+)
  • Encryption at-rest (AES 256)
  • Hashed using a modern password hashing protocol (randomly salted PBKDF2 with over 10,000 iterations)

Access to secure data

Each user or application that has to access production data does so using a unique and individual identity that is managed by Azure AD. For all human users, they are required to use strong passwords as well as MFA (multi-factor authentication). For all machine users, they have separate application identities that can either be configured by MSI (preferred when supported) or a distinct ID and secret.

Still need help? Contact Us Contact Us