Last updated at: 01.07.2023
This document describes the technical and operational security measures and frameworks implemented by viewflip in order to keep customer data safe.
Sensitive User Data
viewflip does not store any window content, remote control input or audio and video chat data. Personal identifiable information is collected during the sign-up process and stored on encrypted infrastructure. viewflip does not and never will sell your personal data.
Window sharing and mouse/keyboard input
viewflip allows users to share individual windows instead of their whole screen. The recipient will only be able to see and interact with the windows that the sender has selected. This allows the sender to keep the rest of their desktop environment private and prevents situations where the sender would involuntarily share sensitive information from other applications or parts of the desktop environment, such as e-mail notifications, sticky notes or file lists.
Mouse and keyboard input from the recipient is limited only to the windows that the sender chose to share. Unlike other remote control solutions this limits the control that the recipient can have over the sender's system only to the boundaries of the selected windows, keeping the rest of the system secure. Unless you are explicitly sharing a file explorer window the recipient is not able to see your filesystem.
Window streams from the sender and mouse/keyboard input from the recipient are encrypted by default and are not recorded or stored anywhere.
Unlike US-based solutions, viewflip is fully GDPR compliant. As a German company with server locations in Germany, viewflip is exclusively subject to German and European jurisdiction. This also means that laws from EU third countries, such as the Cloud or Patriot Act from the USA, cannot be enforced.
Data processing takes place exclusively on European servers. viewflip core services are running on infrastructure operated in Germany. viewflip acts as a data processor - a contract for data processing according to GDPR can be setup on request.
Services storing user data are employing storage encryption. viewflip supports export and removal of personal data on request.
Personally Identifiable Information (PII)
viewflip requires your e-mail address and name to create an account. This information is necessary to enable communication between the customer and viewflip. Furthermore it is necessary for users to be able to find and connect with each other. It is up to each user to decide whether "Find by e-mail" should be possible. This data is only used where it is unavoidable (e.g. sending e-mails to a user, finding a user via e-mail). Whenever possible anonymized user IDs are used.
When a user registers, a highly secure pass-key is automatically generated and stored in the credentials storage of the operating system. This storage is a feature of the underlying operating system itself to securely store sensitive user credentials. The password-less registration process prevents the user from picking an insecure password, reusing existing passwords or storing their password in an unsecure location (for example as plain-text in a text file).
Access Tokens and Service Credentials
User credentials are stored in a managed identity managment system. User authentication uses the augmented password-authenticated key exchange protocol SRP.
Access tokens for the service API that derived from the user credentials are rotated frequently.
All server components and services are encrypted at rest by default. Any traffic with server APIs and other viewflip clients is encrypted by default and enforced on all components. Transport Layer Security (TLS) is used both for HTTPS, Websocket and Peer-to-Peer real-time communication.
Any window streams or mouse/keyboard input is encrypted and transmitted using the enterprise-grade security standards DTLS-SRTP. viewflip does not store any of this data, neither locally nor server-side.
viewflip does not manage it's own hardware infrastructure but leverages fully managed cloud services of Amazon Web Services (AWS). For more information on AWS security compliance you can refer to their respective compliance documents.
AWS has ISO 27001 compliance, which is a code of security practices that focus on protection of personal data in the cloud. It also provides a set of controls and associated guidance intended to address public cloud PII protection requirements. For more information, please refer to the AWS ISO27001 compliance FAQ.
Security issues, incident indications and information requests or concerns can be brought to our attentions via firstname.lastname@example.org.
If you have any questions regarding our security management or in any other belongings, don't hesitate to get in touch with us and use the contact form below: