Nitro makes working with documents more efficient, more modern, and more secure. Our full-time team of information security experts is dedicated to gaining and maintaining your trust by keeping our information systems secure and your data protected.
Since we consider data security to be our number-one job and priority, we build security into each stage of the System Development Lifecycle for all Nitro products.
We follow industry best practices to transfer, process, and store customer data. All Nitro cloud–enabled features use state-of-the-art computing facilities that satisfy key industry standards, such as PCI DSS, HIPAA, and SOC. Our primary data center is in the EU in Frankfurt, Germany.
Nitro protects documents in motion and at rest with digital audit trails and SSL AES encryption. Through extensive logging and instrumentation, we monitor our production environment to audit security, availability, access, and other metrics for our services.
We use a combination of automated tools and manual inspection to ensure constant oversight of security events. For much of our cloud infrastructure, we use Amazon Web Services (AWS), which provides extensive documentation about their security practices here. AWS employs cutting-edge data security measures, as well as physical access restrictions at server locations. The list of AWS certifications, including ISO 27001 and SOC reports 1, 2, and 3, is available here.
For a full list of Nitro certifications, including SOC 2 Type 2, HIPAA, and Privacy Shield, please click here.Click here to see the latest security updates from Nitro »
At Nitro, we test our platforms and products every day. We commission external industry experts to perform regular security audits and penetration tests of Nitro. These rigorous assessments ensure that our practices are not only up to date with current standards, but that we’ve also tested and fortified Nitro against the latest vulnerabilities identified by security professionals.
We go to great lengths to ensure no one sees or processes your data unless they’re authorized to do so—and we strictly limit exceptions. All employees are subject to background checks, and access to production servers is limited solely to engineers who need to work directly with our production systems.
CIS is the Centre for Internet Security, a 501 non profit organisation whose mission is to "identify, develop, validate, promote, and sustain best practice solutions for cyber defense and build and lead communities to enable an environment of trust in cyberspace"
The CIS AWS Foundations Benchmark is a set of industry accepted best practices for Amazon Web Services infrastructure. Nitro have adopted and incorporated the CIS AWS Foundations Benchmark as part of our Information Security Management System. Read more about the CIS AWS Foundations Benchmark.
HIPAA is the Health Insurance Portability and Accountability Act , passed by US Congress in 1996 to mandate industry wide standards for handling health care information.
HIPAA is concerned with the Protection and Confidential Handling of Health Information. The HIPAA Privacy regulations require health care providers and organizations, as well as their business associates, to develop and follow procedures that ensure the confidentiality and security of protected health information (PHI) when it is transferred, received, handled, or shared. This applies to all forms of PHI, including paper, oral, and electronic, etc. Furthermore, only the minimum health information necessary to conduct business is to be used or shared. Read more about HIPAA.
As of September 2017, Nitro have been audited, assessed and certified as satisfying the HIPAA Final Security Rule with respect to user entities' PHI data.
SOC is the Service Organization Control standard. SOC is controlled by the American Institute of Certified Public Accountants (AICPA), and is the AICPA information security compliance standard. SOC 2 is a strategic goal for Nitro on the Product Roadmap, and a key milestone on the Information Security Roadmap. SOC 2 is independent, verified and tangible proof that Nitro values the Security of our Customer’s data as highly as we value our own data. The SOC 2 audit deep-dives into Nitro’s Availability, Security, Privacy, Confidentiality and Integrity controls, ensuring they are robust, consistent and fit-for-purpose. Nitro is SOC 2 Type 1 certified. Read more about SOC 2.
NIST is the US - National Institute for Standards and Technology. NIST SP (Special Publication) 800-53 covers Security & Privacy Controls for Information Systems and Organisations. Nitro have adopted and incorporated NIST SP 800-53 as best practice and an integral part of our Information Security Standards. Read more about NIST SP 800-52 standards.
EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy. Read more about GDPR.
ISO is the International Organisation for Standardisation. Nitro have licensed the ISO 27000 suite of information security standards as best practice for Information Security Management Systems (ISMS). Nitro have adopted and incorporated the following ISO Standards, guidance and best practice as part of our Information Security Management System:
Read more about ISO 27000.
The EU-US Privacy Shield is a framework for transatlantic exchanges of personal data for commercial purposes between the European Union and the United States. Privacy Shield enables US companies to more easily receive personal data from EU entities under EU privacy laws meant to protect European Union citizens. The EU-US Privacy Shield is a replacement for the International Safe Harbor Privacy Principles.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed by the U.S. Department of Commerce and the European Commission and Swiss Administration to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce. Read more about Privacy Shield.