Thank you for visiting and using our website. At cPaperless, LLC (“cPaperless”) security is very important to us, which is why we have created this statement to disclose how we protect your account data. Your trust is imperative to our mission, not only as a business but as people. We want you to feel secure when ordering from our website, installing, and using our products. Our policy is as follows:
All cPaperless websites have been established by cPaperless for the effective operation of our business, and includes two types of access for cPaperless websites:
- Public access sites contain information which is freely accessible, and may be viewed by any visitor. However, cPaperless maintains a copyright interest in the contents of all of its websites. Information posted on public access sites may not be distributed or copied without obtaining permission from one of the members of the cPaperless Web Content Team. Electronic information which is stored, transmitted, or processed on company computers or communication devices is the property of cPaperless.
- Customer information sites provide restricted access to sensitive and proprietary business information. Gaining access to some types of Web-enabled information will require customers to register to view, retrieve, or process data provided by cPaperless. Parties so authorized may not divulge or transmit this information to other external parties without permission from cPaperless or its subsidiaries. Failure to comply with this security policy is punishable through loss of access and possible legal action for damages.
Unauthorized attempts to upload information or change information via any cPaperless Web service are strictly prohibited, and may be punishable under the Computer Fraud and Abuse Act of 1986 and the National Information Infrastructure Protection Act.
Managing, storing, and securing your account data is very important to us, we have outlined what security measure we employ to protect your account data.
Below you’ll find how cPaperless manages data:
Web Hosted Servers and Data Centers
The cPaperless web servers are hosted in Rackspace US, Inc. facilities, exclusively in the United States. They utilize advanced firewall and intrusion detection technology to provide the highest level of security for our customers. The cPaperless servers and firewall are monitored on a 24/7 basis. Performance reports are generated to assure maximum operational availability. Through weekly patch management, Rackspace US, Inc. is constantly improving security software to protect against unauthorized access to our network systems. Daily back-ups are performed by Rackspace US, Inc.
Data in Transfer
All data transferred to and/or from our customers are encrypted with SHA256 SSL certificates.
Data at Rest
cPaperless confirms to our clients that data stored on servers managed by cPaperless and is encrypted at rest using the Vormetric Transparent Encryption tools. Data access is restricted to authorized accounts. Decryption is inaccessible by unauthorized accounts and any data improperly obtained cannot be used by any unauthorized party.
Passwords stored in the database are encrypted with 256-bit AES encryption.
At least every 12 months penetration testing is performed by a third party to evaluate the security of the cPaperless information technology environment. Testing procedures are used to simulate users attempting to gain unauthorized access to system resources and data by using known vulnerabilities and other “hacking” techniques. Testing of external facing components, including internet protocol (“IP”) addresses and Uniform Resource Locators (“URL(s)”) simulate a user attempting to gain access to system components through publicly accessible end points from the Internet.
The testing company has developed a testing methodology based on the National Institute of Standards and Technology special publication 800-115 (“NIST SP 800-115”). This methodology is based on the Planning – Discovery – Attack – Reporting structure and ensures a comprehensive, standardized approach to the penetration tests that identifies the known information security weaknesses in the environment while minimizing the impact of the penetration test on the target environment. The methodology includes network and web based penetration activities. Web based testing follows a combination of the ISECOM’s Open Source Security Testing Methodology Manual (“OSSTMM”) v2.0 and the Open Web Application Security Project (“OWASP”) testing guide for conducting penetration tests. Web applications are tested for common security vulnerabilities, as well as insecure functions that allow users to bypass security controls or elevate their privileges. These common vulnerabilities include:
- Broken Authentication and Session Management
- Cross Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross Site Request Forgery (CSRF)
- Using Components with Known Vulnerabilities
- Invalidated Redirects and Forwards
- Buffer Overflow
- Insecure Communications
SOC 2 Examination
cPaperless completed a Type 1 SOC 2 examination in February 2016. The examination reports on the assertions made by management in their controls with regards to the AICPA Trust Services Principles and Criteria regarding:
Reporting Security Issues
If you have discovered a vulnerability in a cPaperless product, please email us at: support@cPaperless.com. Please include a detailed summary of the issue including the name of the product (e.g., SafeSend) and the nature of the issue you believe you’ve discovered. cPaperless will respond to your notification within a reasonable amount of time and will quickly work to fix the reported vulnerability.
cPaperless is committed to working with security researchers through the process of responsible disclosure, which is the practice of notifying a software vendor before publicly releasing information about a vulnerability. Responsible disclosure is important to the safety of our customers as it allows cPaperless to resolve security issues before they are made available to the hacking community. We strongly encourage anyone who is interested in researching and reporting vulnerabilities in our products to participate in the practice of responsible disclosure. We will make every effort to communicate with you while the vulnerability is being fixed and to acknowledge your report once the security issue has been resolved.
A Letter from the IRS Regarding E-Signatures
For your further examination, we have included a letter from the IRS here that outlines E-Signature requirements and best practices as well as the AICPA Response to IRS Announcement 2013-8, Recommendations for Proposed e-signature Standards.