Security & Trust

Security is foundational to everything we build at Silvoo. We understand that you trust us with sensitive business documents, and we take that responsibility seriously.

Our approach to security is guided by several core principles:

• Defence in depth: Multiple layers of security controls protect your data, so that the compromise of any single layer does not expose your information.
• Least privilege: Access to systems and data is restricted to the minimum necessary for each role or function.
• Security by design: Security considerations are integrated into our development process from the outset, not added as an afterthought.
• Continuous improvement: We regularly assess and enhance our security posture in response to evolving threats and industry best practices.

We are committed to being transparent about our security practices while protecting details that could compromise the effectiveness of our controls.

Silvoo takes an EU-first approach to infrastructure. Our production systems are hosted within the European Economic Area using established cloud infrastructure providers.

• Data residency: Customer data is stored and processed within the EU by default. We do not transfer customer documents outside the EEA without appropriate safeguards.
• Provider selection: We select infrastructure providers based on their security certifications, compliance posture, and track record. Our providers maintain industry-standard certifications.
• Redundancy: Our infrastructure is designed for high availability with redundancy across availability zones to minimise the impact of hardware failures or localised outages.
• Network security: We employ firewalls, network segmentation, and intrusion detection to protect our infrastructure from unauthorised access.

Encryption in Transit

All data transmitted between your browser and Silvoo is encrypted using Transport Layer Security (TLS):

• TLS 1.2 or higher is required for all connections
• Strong cipher suites are enforced; weak ciphers are disabled
• HTTP Strict Transport Security (HSTS) prevents downgrade attacks
• Internal service-to-service communication is also encrypted

Encryption at Rest

Data stored on our systems is encrypted at rest:

• AES-256 encryption for stored documents and data
• Database encryption using provider-managed keys
• Encrypted backups stored separately from production systems
• Key management following industry best practices

Customer Access Controls

Silvoo provides robust access control features for your organisation:

• Role-based access control: Define roles with specific permissions and assign them to team members.
• Granular permissions: Control access at the document, folder, and workflow level.
• Multi-factor authentication: Additional verification beyond passwords for account security.
• Session management: Configurable session timeouts and the ability to revoke active sessions.
• Single Sign-On: Available for enterprise plans to integrate with your identity provider.

Internal Access Controls

Access to Silvoo's production systems and customer data by our team is strictly controlled:

• Principle of least privilege applied to all internal access
• Multi-factor authentication required for all staff
• Access reviews conducted regularly
• All access to production systems is logged
• Customer data is accessed only when necessary to provide support or resolve issues, and with appropriate authorisation

Comprehensive logging enables accountability and supports compliance requirements:

• User activity logs: Track who accessed, modified, or shared documents within your organisation.
• Workflow audit trails: Complete history of approval actions, signatures, and workflow state changes.
• Authentication events: Login attempts, password changes, and session activity.
• Administrative actions: Changes to permissions, settings, and configuration.

Audit logs are:

• Append-only with trigger-enforced write protection
• Retained according to your service agreement
• Exportable for your compliance and record-keeping needs
• Protected with the same security controls as other customer data

We apply rigorous security practices to our AI and machine learning features:

• Data isolation: Your documents are processed in isolation. AI processing for one customer does not have access to another customer's data.
• No training by default: We do not use your documents to train AI models unless you explicitly opt in to such programmes.
• Third-party AI services: Where we use external AI providers, appropriate data processing agreements and security controls are in place.
• Input validation: Content processed by AI features is validated and sanitised to prevent exploitation.
• Output review: AI-generated outputs are clearly marked and should be reviewed by users before being relied upon.

We continuously monitor developments in AI security and update our practices accordingly.

Continuous Monitoring

We employ multiple layers of monitoring to detect and respond to security events:

• Automated monitoring of system health and performance
• Security event logging and analysis
• Alerting for anomalous activity or potential threats
• Regular vulnerability scanning of our infrastructure and applications

Incident Response

We maintain documented incident response procedures:

• Defined escalation paths and response team responsibilities
• Procedures for containment, investigation, and remediation
• Communication protocols for notifying affected customers in accordance with GDPR requirements within 72 hours for applicable data breaches
• Post-incident review and continuous improvement processes

Silvoo is designed with compliance in mind, particularly for organisations operating within the European regulatory environment:

• GDPR: Our platform and practices are designed to support compliance with the General Data Protection Regulation. We act as a data processor on behalf of our customers and offer Data Processing Agreements.
• eIDAS mindset: Our electronic signature capabilities are designed with awareness of the eIDAS framework for electronic identification and trust services.
• Data localisation: EU data residency supports compliance requirements for organisations that must keep data within the EEA.

We work with customers to understand their specific compliance requirements and provide documentation to support their compliance programmes.

Security is a shared responsibility. While we secure the Silvoo platform, you play an important role in protecting your data:

• Account security: Use strong, unique passwords and enable multi-factor authentication. Do not share account credentials.
• Access management: Regularly review user access and permissions. Remove access for users who no longer require it. Apply the principle of least privilege.
• Device security: Ensure devices used to access Silvoo are secured with up-to-date operating systems, antivirus software, and screen locks.
• Data classification: Understand the sensitivity of documents you store and apply appropriate access controls.
• Training: Educate your team about security best practices and how to recognise phishing or social engineering attempts.
• Reporting: Promptly report any suspected security issues or unauthorised access to our security team.

We are continuously investing in our security and compliance programme. We want to be transparent about where we are today and where we are heading.

Current state: Our security practices are designed to meet the needs of EU startups and SMEs handling sensitive business documents. We implement industry-standard security controls and maintain GDPR-compliant data handling practices.

In progress and planned:

• Formalising security policies and procedures for external audit
• Evaluating SOC 2 Type II certification timeline
• Exploring ISO 27001 certification pathway
• Expanding penetration testing programme

We do not currently hold SOC 2 or ISO 27001 certifications. We will update this page as our compliance programme matures. If your organisation requires specific certifications, please contact us to discuss your needs and our timeline.

We value the security research community and welcome responsible disclosure of potential vulnerabilities.

If you discover a security issue, please report it to:

Security Team
Email: security@silvoo.io

When reporting a vulnerability, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any relevant technical details or proof of concept

We commit to:

• Acknowledging receipt of your report within 48 hours
• Investigating and providing updates on our findings
• Working with you to understand and resolve the issue
• Not pursuing legal action against researchers acting in good faith

For general security enquiries or to request security documentation for procurement purposes, please contact us at the email address above.