Egnyte is a cloud or locally managed file storage & sharing system for business. Egnyte is based in Mountain View, California USA and has been operating since 2008. You can contact real, live, support people 24/7 through their online portal, via email, or by phone. Egnyte encrypts all data in transit between your computer and their servers. They also encrypt your data while it is stored on their servers. Egnyte does not disclose its data centre location or expected service availability. However, they do stipulate that they only host their servers in data centres that have been independently audited to a high level of security. Data can easily be uploaded to/downloaded from Egnyte through their desktop/mobile applications. Egnyte recognizes you as the owner of all data uploaded to your account and makes no claims to it. Upon account termination, all files will be retained for 30 days, after which they are removed from Egnyte’s system.
This disclosure was provided and researched by Arrowrock. Sources are cited where possible.
|Company Phone Number||650-968-4018|
|Company Email Addressemail@example.com|
|Physical Address||Egnyte Inc.
1890 N. Shoreline Blvd.
Mountain View, CA 94043
What services does this disclosure apply to?
What country holds legal jurisdiction over the service(s)?
USA – California, Santa Clara County
How long has your company been operating?
Since April 29, 2008
How long has your company been providing the service(s) covered in this disclosure?
Since April 29, 2008
Is your company currently profitable?
Investors include: Google Ventures, Kleiner Perkins Caufield and Byers, Floodgate Fund and Polaris Venture Partners.
What are your standard customer support hours?
24x7x365 United States Pacific Standard Time Zone
What channels are available for communication with clients?
Support page/email and telephone
Which is your preferred channel for client communications?
Do you collect any information from client communications?
We use your contact information and unique identifier (such as a user name and password) to provide access to the Egnyte service available on our website and to contact you when reasonably necessary. We may also use any information you have provided as reasonably necessary to administer or provide customer support for the website and the Egnyte service. We use the information submitted by you to send you correspondence and other information that may interest you and to respond to your correspondence. If, for any reason, you would like to be removed from our email list, you can send us an email at firstname.lastname@example.org
What is your standard response time for customer support inquires?
Do you proactively communicate information about future planned outages and maintenance to clients?
Do you proactively communicate information about current unscheduled outages and incidents to clients?
Do you make incident reports available to clients after major incidents?
What is the expected uptime of the service?
Has the service experienced any outages in the last 12 months?
Yes – details available in incident reports.
Does the SLA guarantee service uptime?
Are logs kept of client logins and locations?
Yes, logs are kept.
Does your service support password/account recovery?
Online password reset.
Does the service monitor for any suspicious account activity?
The network uses SSL encryption and a Network Intrusion Detection System that monitors and blocks hackers, worms, phishing, and all other infiltration methods. Any attempts to infiltrate the system produce an automatic alert, which Egnyte’s trained security team immediately responds to. In addition to the network firewalls, the data center uses separate local firewalls to provide an additional layer of data protection.
Does your service offer two-step or multi-factor authentication?
You can make your Egnyte account even more secure by using Two-step Login Verification. Two-step Login Verification (TSLV) requires a third piece of information (in addition to your username and password) in order to log in.
Egnyte has partnered with Duo Security, a leader in two-factor authentication, to secure your account with TSLV. If you have a smartphone, the Duo Mobile app’s “Duo Push” feature is a convenient way to grant access to your Egnyte account right from your smartphone.
Egnyte has provided you four different options to verify your login; this article will walk you through each one after providing instructions for initial TSLV set-up. The last section will address administration features available to users who are Egnyte domain administrators.
Admins who purchase the Advanced Authentication package can mandate the use of Two-step login verification (TSLV). TSLV requires the use of a third piece of information (in addition to username and password) to access an Egnyte account. We’ve partnered with two-step login leader Duo-Mobile to build an ironclad TSLV solution that allows the use of automated phone calls, text messages, “duo-push” notifications, or passcodes generated from Duo-Mobile’s smartphone application.
Does your service offer login via other services?
Larger organizations with existing authentication systems can choose to integrate their Egnyte account directly with their Active Directory. This allows companies to embrace the cloud without decentralizing user management. As users are created and deleted from Active Directory, they can be automatically granted or denied access to Egnyte cloud services. The full range of password and lockout policies set in Active Directory is enforced throughout all Egnyte access points (e.g. after 3 failed login attempts within a 15 minute window, the user account is locked out).
Egnyte also supports Single Sign On (SSO) through SAML 2.0 and partner integrations with a host of leading identity management solutions. This allows businesses to seamlessly integrate Egnyte into their existing workflow.
Does your service secure all client data in transit?
Yes. Egnyte has adopted the transmission practices of the most secure institutions in the world by using 256-bit AES encryption to encode data during transmission. 256-bit AES encryption is the strictest standard applied by the US Government for TOP SECRET documentation and ensures that even if company data were intercepted, it would be impossible to decipher.
Does your service secure client data at rest?
Yes – All data stored on Egnyte servers are automatically encrypted using AES 256-bit encryption, so that if someone were to gain access to data on the servers, the data would be impossible to read. The encryption key is stored in a secure key vault that is a separate database accessible only to the two executive heads of Egnyte’s Security Council. Additionally, data is stored in a hashed structure that can only be navigated through the Egnyte proprietary system software.
Does your service allow clients to collaborate with 3rd parties?
Does your primary system reside in a data center with a security certification?
Yes. End-to-end security starts with the ability to physically protect the servers where data resides. Egnyte provides this first line of defense by housing file servers in industry-leading Tier II, SSAE 16 compliant colocation facilities that feature 24-hour manned security, biometric access control, and video surveillance.
Does your backup/disaster recovery system reside in a data center with a security certification?
Do you claim ownership of any client data or information uploaded to your service?
No. As between Customer and Egnyte, Customer or its licensors own all right, title and interest in and to the Content.
Does the client retain full ownership of any data of information transmitted or stored via upstream providers?
Any such activities, and any terms associated with such activities, are solely between Customer and the applicable third-party. Similarly, Egnyte are not responsible for any third party content Customer access with the Services, and Customer irrevocably waive any claim against Egnyte with respect to such sites and third-party content.
Should Customer have any problems resulting from Customer use of any third party services, or should Customer suffer data loss or other losses as a result of problems with any of Customer other service providers or any third-party services, Egnyte will not be responsible unless the problem was the direct result of Egnyte’s breaches.
Does client use of your service generate any metadata or other statistical information?
As is true of most websites, we gather certain information automatically and store it in log files. This information includes internet protocol (IP) addresses, browser type, internet service provider (ISP), referring/exit pages, operating system, date/time stamp, and clickstream data.
We use this information, which does not identify individual users’, to analyze trends, to administer the site, to track users’ movements around the site and to gather demographic information about our user base as a whole. We do not link this automatically-collected data to personally identifiable information.
Where are the primary systems that host client data located?
Where are the backup/disaster recovery systems that host client data located?
Are there any other systems that host client data on behalf of your service?
Does the client have full access to their data during the service contract period?
Can the client freely download their data from the service during the contract period?
Can the client easily import/upload their data from a competing service provider into your service?
Does your services include an API to access client data?
Yes: WebDAV format.
Following termination of the service, will the client be able to access their data?
Following termination of the service, is all client data deleted?
Yes. By default, files remain in the Trash folder for 30 days, and can be extended up to 180 days by the administrator.
After files have been in the Trash folder for the designated period, they are emptied and completely removed from Egnyte’s system. Administrators may request to be notified before Trash content is emptied. To ensure compliance with data removal, Egnyte overwrites company data with random patterns of information to render the data unrecoverable. The following removal process is followed:
1. The original data and all file versions are removed from Egnyte servers
2. Replicated backup copies on local storage are removed
3. Replicated backup copies on secondary data centers are removed
4. The removal process deletes all metadata associated with the removed files, including notes, access history, thumbnails, and indexing content used in searches
Egnyte maintains an audit trail of all data removed by this process which can be made available in an audit report.
Does anyone in your organization (including contractors and upstream providers) have the ability to directly access client data?
Egnyte continually monitors access logs to confirm all Administrator activities, and at no time can Administrators ever access customer data.
Does your company use client data or information for any business function (other than the provision of the service)?
We may disclose your personally identifiable information to certain third party vendors (e.g., data storage facilities, payment processors, email service providers) used by Egnyte to assist us in providing the Egnyte services, to the extent necessary to enable such vendors to provide such assistance. These third parties are prohibited from using your personally identifiable information for any other purposes.
Does your company use client data or information to generate revenue (other than the provision of the service)?
We do not share, sell, rent or lease your personally identifiable information to third parties for their promotional purposes.
Do you access client data in any additional circumstance not yet specified in this disclosure?
Do you have a policy in place for dealing with data loss or breach?
Actions taken to prevent breach: Egnyte takes multiple steps to prevent unauthorized access after a user has logged in. First, Egnyte prevents cross-site request forgery and cross-site scripting, meaning that if another website attempts to access Egnyte through a foreign computer, Egnyte immediately recognizes the unauthorized request and will block all attempts. Egnyte also issues a session- specific cookie that keeps users logged into their account for a limited time only. This cookie expires after a certain period of inactivity set by the account administrator, requiring users to log in again.
Do you notify clients if their data has been lost or compromised?
Does your service support data versioning?
How often are service/client data backups performed?
Continuously: As a file backup solution, Egnyte HybridCloud delivers world class security for disaster recovery (in the case of data breach, data loss, cyber intrusion), and data protection ( e.g. full data encryption during transmission and rest, real time continuous backup with versioning, redundant online and local storage) without the need for additional hardware, software, maintenance, or tape backup units. Egnyte offers simple, reliable continuous file backup in three Local Cloud options to meet every business need.
What method is used to perform service/client data backups?
To protect from equipment failure, Egnyte stores all data on RAID6 storage servers. RAID technology ensures that in the event of a hard drive failure, data remains intact and available on other drives. An additional copy of each file is also replicated and stored on a separate server to protect against larger device failure. Data stored on these servers are continually monitored to protect against bit decay that threatens the integrity of files at rest. As a final precaution, administrators have the option to replicate their data to a secondary Tier II, SSAE 16 compliant facility where it is again replicated on RAID6 servers.
How long is backup data retained for?
The information in this report is provided “AS IS” without warranty of any kind, express or implied. Please use good judgement and verify the information you consider important before basing any decisions on it.