Updated Sept 20th, 2023
Orangedox helps our customer secure their documents, allowing them to be confident that only the intended recipient gains access. However, is it ok to trust Orangedox with your confidential documents? And what measures does Orangedox employ to ensure their platform is safe?
How safe is Orangedox?
Entrusting an online service with your confidential files is a decision that shouldn't be taken lightly. To that point here's a list of the security best practices that Orangedox employs to help secure your confidential files on our platform.
Orangedox integrates directly with your cloud storage provider, either Google Drive or Dropbox. Doing so allows Orangedox to pull files directly from your cloud storage provider, allowing you to update your shared files without having to re-upload them. However, this does require that Orangedox has continued access to your cloud storage account. This is done with OAuth Access Tokens that Orangedox stores and uses to gain access to your account. These access tokens are encrypted by Orangedox using 256-bit Advanced Encryption Standard (AES-256) then stored on Amazon AWS. At no time does any internal employee at Orangedox have access to unencrypted access tokens.
Only Previewed Files are stored by Orangedox
Unlike similar document protection services Orangedox doesn't store every file that you share with our service. Instead we integrate with your cloud storage service, either Google Drive or Dropbox, and whenever someone downloads a file shared via Orangedox it comes directly from your cloud storage provider. At no time does Orangedox cache or store this file.
However there exceptions to this, any file that Orangedox generates a preview (full list here) will be stored on our servers. This is required so that Orangedox can provide a web preview of your file online, which we term 'Previewed Files'
Previewed Files Encryption
All previewed files are stored on Amazon's S3 and are encrypted with 256-bit Advanced Encryption Standard (AES-256).
Access to Previewed Files
Previewed files are not accessible by internal Orangedox employees, and only designed security engineer(s) are granted access in one of the following scenarios
- to verify that the file does not violate our Terms of Service: Acceptable Use Policy
- to debug an issue with the previewed file at the customer's request
Removal of Previewed Files
Orangedox does not keep previewed files indefinitely, periodically we clean out old versions of previewed files that are not currently shared.
If you have any questions on how we handle our customers data please reach our security team at firstname.lastname@example.org