Security

Data security is Elven's lifeline.

We protect the security of user data from three perspectives: regulations, permissions, and technology, ensuring comprehensive protection.

Compliance

We have successfully achieved rigorous SOC2 certification and maintain ongoing compliance audits

Security Policies:

In strict accordance with SOC2 standards, our employees have undergone training and have attested to 21 security policies. They have actively participated in 17 security-related project initiatives, which encompass, but are not limited to:

Risk awareness training sessions
Third-party service usage standard training
Privacy protection training
Remote work and personal device usage rule training
Data management project development training
Endpoint security system development
Cloud service security system development
Risk assessment and control system development

Security Audits:

We undergo annual data security audits conducted by authoritative agencies.

Penetration Testing:

We regularly engage professional teams to conduct penetration testing on our systems.

Permission

Users have absolute control over their own data

Management Permissions:

Administrators can authorize members, deciding who can view and edit specific data.

Activity Logs:

User actions are recorded, capturing login, browsing, and modification activities. Critical pages display watermarks with user IDs.

Data Deletion:

Users can easily delete their data, and Elven retains no backups. Rest assured, your data is entirely under your control.

Technical

Encryption for Data Transmission and Multi-Location Data Storage

Data Storage Infrastructure:

Files are securely stored using S3 encryption and a dual-storage architecture of multi-master and slave databases.
Multi-cloud, multi-region backup strategy is implemented to ensure data redundancy.
Critical sensitive data is stored using dynamic data masking, preventing internal and external data leaks.
We are actively implementing homomorphic encryption to ensure end-to-end data security for our customers.

Web Platform:

Enterprise-level HTTPS encryption secures communications across the entire domain.
Full integration with Cloudflare safeguards against DDoS attacks and malicious scraping attempts.
JWT protocol is employed to encrypt transmission for all API calls, preventing tampering and impersonation.
User behavior fingerprinting and operation tracing are applied, preventing multiple logins and enabling behavior-based notifications.
Flexible and configurable anomaly detection alerts and service degradation mechanisms are in place.

Development and Operations:

Strict control of permissions in code repositories.
Passwords are never stored in plaintext within the codebase, thanks to the use of Key Management Service (KMS).
Using the jump server mechanism ensures that the maintenance of all production machines is not exposed to the public network.
Ownership and access to production machines are rigorously controlled.