We value our customers' trust in keeping their data secure with SplashID Safe.

Application Security

SplashID Safe applications are OWASP TOP 10, SANS TOP 25 and CWE (industry best security standard) compliant. Application layer attacks are handled by secure programming techniques and hand-picked security packages. Our developers are security trained and follow a stringent security checklist which needs to be verified before we release any new update or product version. Our dedicated team of security professionals uses Netsparker, Burpsuite, Acunetix and manual hack exploits to ensure no common vulnerabilities are missed and new attacks are covered. All SplashID Safe product versions are developed and tested keeping cross data leakage, privacy and security as priorities. Additional security controls like dual authentication, secret key, user role mapping are integrated at the web application layer and on server side. Our stringent application security policy ensures all SplashID Safe versions are tested periodically and also with every code change.

Network Security

Apart from firewall security, SplashID Safe ensures every request is encrypted over the network layer. Every request is sent over high strength SSL connection (256 bit cipher). In addition, SplashID Safe encrypts every record at the transport and application layer. Our dedicated security team performs network scans regularly using Nessus, Qualys and NMAP to detect network related vulnerability.

Server Security

SplashID Safe's servers are security hardened on Rackspace across a multiple tier architecture. Our servers have are regularly checked for malware, rootkits and software updates. The servers are backed up on a daily basis.

Advanced Security Features

Local Only records - Cloud Services users can now designate any record in SplashID Safe as Local Only. This means the record stays local on the device selected and does not sync (in an encrypted state) to the cloud server like other records. If the selected record is already on the web app or on any other devices running SplashID Safe, it will get deleted from those apps. At any point, you can undo the Local Only setting, and the record would then sync back to the cloud server and appear on all your devices.

2-Factor Authentication - 2-factor Authentication is recommended to increase the security of your SplashID Safe account. The 2nd factor is an additional code that needs to be entered when your SplashID Safe account is accessed from a new desktop, device or browser. One you confirm access is authorized with the additional code, you will no longer need to enter the 2nd factor code when you log in from that device or browser.

Share Securely - Share SplashID Safe records securely with anyone, whether they use SplashID Safe or not. Sharing with a SplashID Safe Cloud Services user prompts the receiver to import the records into their account. Sharing with a WiFi sync or Local storage user or with a non-SplashID Safe user sends a secure link over email from which the records can be viewed. The shared records will be deleted once viewed and the link is valid only for 24 hours. Records are password protected, and you have the option of including that password in the email that is sent, or don't include it and share the password verbally for increased security.

Security Team Hall of Fame

Our mission with SplashID Safe is keeping customer information confidential - your information needs to be kept your own, secure and private. Over the past decade, we have worked with our community of users and with security researchers to improve SplashID Safe's security. We recognize security is an ongoing process, and we need to constantly evolve to meet new threats. We appreciate all security concerns reported to us, and we value feedback.

If you feel you have found a potential security issue with SplashID Safe, please let us know. When reporting potential issues, please be as thorough as you can in providing enough detail so that we can recreate your finding. Email us directly. We will respond as soon as we can. Once you have submitted a security concern, we may follow up with you to get additional information. Once we have validated a concern and implemented a fix, we will thank you for your assistance and also recognize you if you would like.

SplashData would like to thank the following security experts who have contributed to helping improve SplashID Safe's security.

  • Agastya Rudroj
  • Aleksandr Vasilyev
  • Anagha
  • Andrea Possemato
  • Atulkumar Hariba Shedage
  • Bhaskar Borman
  • Blessen Thomas
  • Chandroliya Ravi
  • Clifford Trigo
  • Danish Tariq
  • Devesh Bhatt
  • Garry D. Bacalso
  • Ghanashyam Sreehari
  • Gineesh George
  • Hakimuddin Gheewala
  • Hardik Parekh
  • Hardik Tailor
  • Hari Krishnan
  • Inaki Rodriguez
  • Jatin Mangani
  • Jay Vardhan
  • Jeevan Dahake
  • Kamal Singh
  • Kamil Sevi
  • Karthickumar Ramanathapuram
  • Kesav Viswanath
  • Kiran Karnad
  • Lalit Kumar
  • Le FeOx
  • Lyon Yang
  • Manish Bhattacharya
  • Manish Kumar
  • Mathias Karlsson
  • Maulik Shah
  • Meris Bihorac
  • Michael Smith
  • Mihir Mistry
  • Monendra Sahu
  • Muhammad Talha Khan
  • Muhammad Waqar
  • Nailo Mimo
  • Nakul Mohan
  • Nilesh K
  • Nitin Goplani
  • Osama Ansari
  • Osama Mahmood
  • Osanda Malith Jayathissa
  • Paras Pilani
  • Parichay Rai
  • Paul Seekamp
  • Prayas Kulshrestha
  • Rafael Pablos
  • Ranjan Kathuria
  • Ravindra Singh Rathore
  • S Venkatesh
  • Sachin Kediyal
  • Salman Khan
  • Sander Van der Borght
  • Shpend Kurtishaj
  • Shubham Gupta
  • Siddhesh Gawde
  • Sriram Shyam
  • Stefano Ivan Stinga
  • Surya Subhash
  • Swapnil A. Thaware
  • Tony Trummer
  • Vinoth Kumar
  • Vishal Sonar

Frequently Asked Questions

What are my data storage, sync, and backup options?

Unique among password managers, SplashID Safe offers you the choice of syncing and storing data using secure cloud services, your own local Wi-Fi network, or local storage on your device.

What happens if I lose my phone or laptop with SplashID Safe on it?

As long as you have a secure master password for SplashID Safe, your data is very safe. SplashID Safe applications on mobile devices and for Windows and Mac only allow a small number of incorrect password attempts before all records locally are erased.

Who is the cloud service provider?

Rackspace, a well established leader in secure cloud services.

What if someone gets access to the email account that I used with SplashID Safe? Do you have a "forgot password" feature?

No, there is no "forgot password" feature in SplashID Safe, only a password hint if you choose to set one. We have no access to user passwords -- we don't know what they are. We don't enable password deletion remotely or by us. Password reset is also not possible.

Will data ever leave servers physically in the US?

No.

What event monitoring is in place?

We have deployed open source WAF on production servers and have regular application security, network security and server security exercises conducted on all our supported platforms. We have a multiple tier architecture with clear segregation of application and database servers.

What happens if there are availability issues? Is local access going to be maintained?

We have designed SplashID Safe services to have uptime commensurate with other critical web services. Even in the case of an offline scenario, SplashID Safe client applications for mobile and desktop clients offer local access.

What kind of encryption are you using?

We use a combination of encryption algorithms in our designs, including 256 bit AES and 128 bit Rijndael.

Are you salting the passwords?

Yes, we salt user emails and passwords.

What if I want to delete my records from Cloud Services -- will they be removed from all servers, including backup?

Once you log into your account, you can delete all your records or your entire account and this will erase all data stored on our server and then the backup.

Is data encrypted in motion during all session activities? Have you addressed data that is cached and left in memory after the user's session has finished?

Yes, every page is sent over SSL connection. Preferred cipher is 256 bit for SSL connection. After user session is ended, all binded data is erased from web server. No data is cached in web server or in session variables.

If I think I have found a security vulnerability in a SplashID Safe application or service, where do I report it?

We welcome analyses and reports from security experts and researchers. Please visit this page to learn more about submitting a report and becoming a member of our valued security community.

Is SplashID Safe affected by the Heartbleed vulnerability?

SplashID Safe is not affected by Heartbleed! Since SplashID Cloud Services is run on Microsoft IIS servers, and not Linux or Unix servers, it does not employ the Open SSL library that contains the Heartbleed vulnerability. That said, this is a widely used library that will affect many of the websites you login to, and this vulnerability has existed for some time, so we recommend that you change passwords on all sensitive sites at this time to be safe. You can use the password generator feature in SplashID Safe to generate strong passwords and save them in your SplashID records for easy (and secure!) recall. For more info on Heartbleed, click here

About SplashData

SplashData has been a leading provider of security applications and services for over 10 years. The company's secure password and record management solution SplashID Safe has over 1 million individual users worldwide as well as hundreds of business and enterprise clients. SplashData was founded in 2000 and is based in Los Gatos, CA.

Why SplashID 8?
Privacy
Terms of service
GDPR Statement
Support
Blog
About Us

Contact us

SplashData, Inc.

All Rights Reserved, 2020