We require all employees and freelancers to sign a confidentiality agreement and comply with our cybersecurity policy.
We are reviewing our cyber security policy every quater and train our team on security regularly.
We enforce a device management policy (password strength and rotation, lock screen when leaving the desk, disk encryption, remote lock).
Our employees and freelancers must report all actual or suspected IT security incidents.
By default, our employees and freelancers don't have access to user data. Exceptions can be made for customer support.
Our service is built on several cloud service providers, including Amazon Web Services (AWS), Digital Ocean, and Mongo DB Atlas. Those providers come up with robust security mechanisms to protect our infrastructure.
Our networking infrastructure (routers, load balancers, DNS servers,...) also runs in the cloud.
All communications are performed through end-to-end HTTPS encryption.Access to our network is strictly controlled using a VPN with network access control lists (ACL) and IP whitelisting.
Our inbound and outbound network traffic is monitored and controlled using firewalls and IP whitelisting.
We are using an industry-leading solution to mitigate our risk of Distributed Denial of Service (DDoS).
We are using solutions to monitor the performance of our platform and log errors in our service.
We are using separate environments for testing and production.
Your documents are hosted in Europe (France) or North America (USA, Virginia), depending on your account's settings.
Your data is stored in Europe (France).
All data coming to or sending from our infrastructure is encrypted in transit using Transport Layer Security (TLS 1.2).
All our user data is encrypted at rest using AES 256-bit encryption algorithm.
We are anonymizing, or we do not transmit sensitive data to our sub-processors.
We are following OWASP security best practices to protect our solution.
We are strictly controlling who has access to our source code.
We are restricting access to production data to authorized staff members only and protecting it by 2FA, VPN access, and IP Whitelisting.
We are reviewing our code systematically for security vulnerabilities.
We are monitoring and updating our dependencies to make sure none of them has know vulnerabilities.
GDPR is a regulation put in place in the EU since 2018. The goal of this regulation is to protect the data of users of internet services.
At Collect, data privacy is one of our top priorities. For this reason, we put all our efforts to be fully compliant with the GDPR regulation. We have detailed some of our actions to ensure we're compliant on a dedicated section of our knowledge base.
We don't store any payment information (except non-usable details that can be used by customer support, for example, the last four digits of the card).
We are using Stripe for everything related to payment. Stripe is certified PCI Level 1 and safely safeguard all payment information for us.