Security at Snowfox

State-of-the-art Encryption

In transit, at rest, throughout processing.

In transit, at rest, throughout processing.

At Snowfox, all customer data is encrypted in transit and at rest. Also, internal connections between system components are encrypted and authenticated.

The HTTPS interfaces use TLS 1.2/TLS 1.3 for encryption, and the SFTP interface uses chacha20-poly1305, AES-GCM 128/256, and AES-CTR 128/196/256.

For data storage, we use Google-managed encryption. See here for details: 
Encryption at Rest
Encryption in Transit

Advanced Network Access Controls

Ingress, egress, and even DNS are all restricted to a minimum.

We use firewalls, IP allowlists, and segmented networks, of course. But it doesn't stop there. We also use various methods for restricting egress traffic to prevent data exfiltration or command and control channels in the event of a compromised system.

Furthermore, the network access controls are connected to our threat detection system. As a result, we will know in real-time if there are, e.g., exfiltration or connect-back attempts.

365 Threat Detection

If there is an anomaly, we will know of it.

Snowfox runs a centralized logging system that knows everything that happens in the operating environment. Fully automated monitoring keeps a close eye on all the logs. Suspicious events, whether an input validation violation in a web application, a shell spawned in a container, or an unexpected egress network connection, gets reported to Snowfox security in real time.

Audit Trails

If somebody or something does anything, we will know of it.

All data access and administrative operations in the Snowfox system are logged. The logs are protected with a retention lock, which is to say, even Snowfox administrators cannot remove the logs even if they want to.

Third-party Penetration Tests / Security Assessments

Don't just take our word for it.

Snowfox conducts an annual security assessment with Nixu Cybersecurity. The scope includes all technical interfaces. We provide Nixu with all source code and give them full access to the system for maximum transparency.

The assessments are based on OWASP ASVS 4 level 2 and include topics like architecture and development practices. We give our customers the summary section of the report and fix all high and critical vulnerabilities as a top priority.

In the latest assessment (2022), Nixu didn't find any high or critical severity issues.

Data Residency

Know where your data is.

Snowfox implements technical and organizational measures to ensure that personal data is processed only within the EU/EEA (or when delivering certain services - countries outside EU/EEA with an adequacy decision from the European commission). These include: 

• Using regional EU/EEA cloud resources.
• Implementing access approval to block non-EU support access from Google.
• Organizational policy to prevent accidental creation of regional resources outside the EU/EEA region.

Deep Access Controls

It takes more than a password to access the Snowfox production environment.

Access to the production environment is granted to select staff on a need-to-know basis, following the principle of least privilege. A private VPN and other factors, such as MFA using U2F keys, are required to access.

Rigorous Training

For all Snowfox staff on a regular basis.

All Snowfox personnel undergoes regular security awareness and privacy/data protection training. Your data is in good hands with us.