Micrio Security and Data Protection

Version: 1.0

Date: April 9, 2025

Document Status: Final

Online version

An alternative, online version of this document can be found at https://trust.micr.io/ .

Document Information

• Document Owner: Micrio Security Team
• Last Review Date: April 9, 2025
• Next Review Date: October 9, 2025
• Classification: Public

Table of Contents

1. Introduction
2. Security Overview
3. Infrastructure Security
   • Cloudflare Hosting Infrastructure
   • Server Locations and Data Residency
   • Cloudflare Workers Architecture
   • Physical Security
4. Data Protection
   • Data Encryption at Rest
   • Data Encryption in Transit
   • Data Backup Procedures
   • Data Classification and Handling
   • Data Retention and Deletion Policies
5. Access Control and Authentication
   • Authentication Mechanisms
   • Secrets Management
   • Authorization and Permissions Model
   • Access Limitation to Production Systems
   • Role-based Access Control
6. Application Security
   • Secure Development Practices
   • Dependency Management
   • Security Testing Procedures
   • API Security Measures
7. Monitoring and Incident Response
   • Security Monitoring Approach
   • Threat Detection Capabilities
   • Log Management and Review
   • Incident Response Procedures
   • Notification Process for Security Incidents
   • Service Level Agreement (SLA) Commitments
8. Compliance and Certifications
   • Current Certifications
   • Compliance with Regulations
   • Regular Security Reviews and Audits
   • Third-party Security Assessments
9. Operational Security
   • Change Management Procedures
   • Asset Inventory Management
   • Security Awareness and Training
   • Vendor Management Security
10. Privacy Practices
    • Privacy Policy Overview
    • User Data Handling Practices
    • Data Subject Rights and Procedures
    • Third-party Data Sharing Policies
11. Business Continuity and Disaster Recovery
12. Contact Information
    • Security Contact Details
    • Reporting Security Concerns
    • Support Channels
13. Appendix
    • Glossary of Terms
    • References to Relevant Standards
    • FAQ for Common Security Questions

1. Introduction

Micrio is a Software-as-a-Service (SaaS) platform that enables users to upload high-resolution images and create immersive, interactive experiences. As a trusted provider of digital content solutions, Micrio is committed to implementing robust security measures to protect our customers' data and ensure the reliability of our services.

This documentation outlines the comprehensive security practices, data protection measures, and compliance efforts that Micrio employs to safeguard your information. We understand that security is a critical concern for organizations, particularly government institutions, and we are dedicated to maintaining the highest standards of security throughout our platform.

The purpose of this documentation is to provide transparency about our security approach and to demonstrate our commitment to protecting your data. We believe that by sharing our security practices, we can build trust with our users and help them make informed decisions about using our services.

2. Security Overview

Multi-layered "Defense in Depth" Approach

Micrio employs a multi-layered "defense in depth" security strategy that implements protective measures at various levels of our service. This approach ensures that if one security control fails, others remain in place to protect your data and maintain service integrity.

Security Philosophy and Principles

Our security philosophy is built on the following core principles:

1. Proactive Protection: We actively identify and address potential security risks before they can be exploited.
2. Least Privilege Access: Access to systems and data is granted on a need-to-know basis, with the minimum permissions necessary.
3. Regular Assessment: We conduct periodic security reviews and updates to maintain the effectiveness of our security controls.
4. Continuous Improvement: We constantly evaluate and enhance our security measures to address evolving threats.
5. Transparency: We provide clear information about our security practices to our users.

Key Security Features Summary

Micrio's key security features include:

• Enterprise-grade hosting infrastructure through Cloudflare
• Robust data encryption both at rest and in transit
• Strict access controls and authentication mechanisms
• Regular security reviews and updates
• Comprehensive backup and disaster recovery procedures
• Ongoing monitoring for suspicious activities
• Compliance with relevant regulations and standards

3. Infrastructure Security

Cloudflare Hosting Infrastructure

Micrio's infrastructure is hosted on Cloudflare's enterprise-grade platform, benefiting from their robust security features, content delivery network (CDN), and distributed denial-of-service (DDoS) protection. Cloudflare provides world-class hosting facilities that are secure, highly available, and redundant.

Enterprise-grade Platform Benefits

By leveraging Cloudflare's infrastructure, Micrio gains access to:

• Global network presence with edge locations worldwide
• Advanced threat intelligence
• Web Application Firewall (WAF) protection
• Bot management and mitigation
• Rate limiting to prevent abuse

DDoS Protection

Cloudflare's DDoS protection service automatically detects and mitigates attacks, ensuring that Micrio remains available even during large-scale attack attempts. This protection works at multiple layers (network, transport, and application) to provide comprehensive coverage against various attack vectors.

CDN Capabilities

Cloudflare's CDN improves both performance and security by:

• Caching content closer to users for faster delivery
• Reducing the load on origin servers
• Providing an additional layer of security between users and the origin infrastructure
• Optimizing content delivery based on device and connection type

Server Locations and Data Residency

Micrio's core services are hosted in Cloudflare's Western Europe data centers (identifier "weur"). This ensures that data remains within a specific geographic region, helping to address data residency requirements and reduce latency for users in those areas. For selected customers, their image data and content can be hosted globally, not bound to a specific geographic region. This is available on request.

Cloudflare Workers Architecture

Micrio utilizes Cloudflare Workers for all customer- and visitor-facing operations, which provides significant security advantages over traditional server architectures.

Serverless Architecture Security Benefits

The serverless architecture of Cloudflare Workers offers several security benefits:

• No traditional operating systems to patch or maintain
• Reduced attack surface compared to traditional server deployments
• Automatic scaling without manual intervention
• Isolation between execution environments
• Rapid deployment of security updates

No VMs or Separate OSes Running

Unlike traditional hosting models, Micrio's use of Cloudflare Workers means there are no virtual machines or separate operating systems running. This eliminates many common security vulnerabilities associated with operating system management, such as unpatched systems or misconfigured services.

Physical Security

Micrio relies on Cloudflare for the physical security of the data centers hosting our infrastructure. Cloudflare maintains state-of-the-art physical security controls, including multi-factor access control, 24/7 surveillance, and environmental protections. Cloudflare's data centers are certified against rigorous standards such as SOC 2 Type II and ISO 27001, ensuring robust physical security measures are in place.

4. Data Protection

Data Encryption at Rest

Micrio implements encryption for all data stored within our systems to protect it from unauthorized access.

Database Encryption

Micrio uses Cloudflare D1 Storage for database services. Cloudflare D1 automatically encrypts data at rest using industry-standard encryption algorithms (such as AES-256), managed entirely by Cloudflare. This ensures that even if physical access to storage media were somehow obtained, the data would remain protected.

Storage Encryption

For file storage, Micrio uses Cloudflare R2 Storage. Similar to D1, Cloudflare R2 automatically encrypts all stored objects at rest using strong encryption standards like AES-256, managed by Cloudflare. This includes all images and associated metadata uploaded to the platform.

Data Encryption in Transit

All data transmitted to and from Micrio is encrypted to protect it from interception during transfer.

TLS 1.3 Enforcement

Micrio enforces the use of Transport Layer Security (TLS) version 1.3 for all communications over public networks. TLS 1.3 provides improved security and performance compared to earlier versions, with stronger encryption algorithms and simplified handshake processes.

HTTPS Implementation

All communications with Micrio utilize HTTPS, ensuring that data exchanged between users and our services is encrypted. We maintain up-to-date SSL certificates and follow industry best practices for secure configuration.

Data Backup Procedures

Micrio leverages Cloudflare's robust infrastructure, which includes built-in data redundancy and backup mechanisms. We rely on Cloudflare's capabilities to ensure data availability and recoverability.

Data Classification and Handling

Micrio implements data classification to ensure appropriate handling of different types of information based on sensitivity and criticality.

Data Retention and Deletion Policies

Micrio has established clear policies for data retention and deletion:

• User-uploaded images can be permanently deleted by users through the Micrio dashboard
• No copies of deleted images remain on any of Micrio's servers
• Account termination requests are processed within 30 days, with all associated records and images removed

5. Access Control and Authentication

Authentication Mechanisms

Micrio implements secure authentication mechanisms to verify the identity of users accessing the system.

Password Policies

Micrio enforces strong password policies to protect user accounts from unauthorized access. These policies include requirements for password complexity.

Secrets Management

Micrio employs secure storage of credentials and API keys using Cloudflare Secrets. This service provides write-only storage for sensitive credentials, meaning that once stored, these secrets cannot be retrieved from the Cloudflare interface and are only passed to running instances when needed.

All application secrets, including internal API keys and password hashing salts, are stored using this secure mechanism. The original copies of these keys are maintained in a dedicated 1Password Micrio-specific vault, which undergoes access auditing twice per year to ensure only authorized personnel have access.

Authorization and Permissions Model

Micrio implements a robust authorization model that controls what actions users can perform once authenticated. This model is based on the principle of least privilege, ensuring users have only the permissions necessary to perform their required functions.

Access Limitation to Production Systems

Access to Micrio's production systems is strictly limited to authorized personnel only. This access is provided through secure channels and is regularly reviewed to ensure it remains appropriate.

Role-based Access Control

Micrio implements role-based access control (RBAC) to manage permissions efficiently. Users are assigned to roles that define their access rights, making it easier to manage permissions at scale and reduce the risk of excessive privileges.

Cloudflare Account Security

All Micrio team members with access to the Cloudflare management console are required to use Two-Factor Authentication (2FA) to enhance account security and prevent unauthorized access to infrastructure settings.

6. Application Security

Secure Development Practices

Micrio follows secure development practices throughout the software development lifecycle to minimize the introduction of security vulnerabilities.

Source Code Security

The Micrio codebase is stored in a secured GitHub environment. Access to the repositories requires Two-Factor Authentication (2FA) for all contributors, adding an extra layer of security to protect the source code from unauthorized access or modifications.

Dependency Management

Micrio takes a proactive approach to managing software dependencies to reduce security risks.

Regular Updates of Dependencies

Micrio exclusively uses stable, proven versions of its dependencies. Its architecture is designed to work with specific, tested versions of libraries. When updates are necessary for security reasons, they are carefully tested before deployment.

Vulnerability Monitoring

Micrio conducts regular manual security reviews and updates of dependencies. The platform leverages the security features of package management systems like NPM, which provide notifications about vulnerable packages. As soon as a dependency receives a security warning (such as an outdated package with vulnerabilities), Micrio ensures it is upgraded to a secure version. GitHub automatically checks for known security vulnerabilities in project dependencies using Dependabot (learn more). This provides continuous monitoring and alerts for potential risks within the software supply chain.

Security Testing Procedures

Micrio implements security testing throughout the development process to identify and address vulnerabilities before they reach production:

• Code Reviews: All code changes undergo peer review with security considerations as a key focus
• Static Analysis: Automated tools are used to identify potential security issues in code
• Dependency Scanning: Regular scanning of dependencies for known vulnerabilities
• Manual Security Testing: Periodic manual security testing of critical components
• Pre-deployment Testing: Security validation before changes are deployed to production

These testing procedures help ensure that security vulnerabilities are identified and addressed early in the development process, reducing the risk of security issues in the production environment.

API Security Measures

Micrio's APIs are designed with security in mind, implementing authentication, authorization, input validation, and other controls to protect against common API vulnerabilities.

7. Monitoring and Incident Response

Security Monitoring Approach

Micrio implements monitoring to detect suspicious activities and potential security incidents. This includes monitoring for unusual access patterns, authentication failures, and other indicators of potential compromise.

Threat Detection Capabilities

Micrio leverages Cloudflare's security features to detect and respond to threats. Cloudflare provides visibility into potential security issues through their dashboard, allowing for timely identification of attacks such as DDoS attempts.

Log Management and Review

Micrio maintains comprehensive logging of security-relevant events across the platform. Security logs are collected, stored securely, and reviewed regularly to identify potential security issues:

• Log Collection: Security-relevant events are logged across all components of the Micrio platform
• Log Review Frequency: Security logs are reviewed at least weekly, with automated alerts for suspicious activities
• Log Retention: Security logs are retained for a minimum of 90 days to support incident investigation
• Automated Monitoring: Cloudflare's monitoring tools automatically detect and alert on suspicious activities
• Review Process: Designated security personnel review logs according to established procedures to identify potential security incidents

When Cloudflare detects suspicious activities, they notify Micrio immediately. The Micrio security team then reviews these notifications and conducts appropriate investigations to determine if further action is needed.

Incident Response Procedures

Micrio has established incident response procedures designed for rapid detection, containment, eradication, recovery, and post-incident analysis of security events. Our goal is to minimize the impact of any incident and restore normal operations as quickly as possible while ensuring the security of customer data.

Notification Process for Security Incidents

In the event of a security incident that affects customer data, Micrio will notify affected customers in accordance with contractual obligations and applicable regulations. Cloudflare will notify Micrio should there be any suspicious activities, and Micrio will review and follow up with investigations.

Service Level Agreement (SLA) Commitments

Micrio's Service Level Agreements include commitments regarding security incident response, system availability, and other security-related aspects of our service.

8. Compliance and Certifications

Current Certifications

Micrio is in the process of obtaining ISO 27001 certification, with expected completion in Q2 2025. ISO 27001 is an internationally recognized standard for information security management systems (ISMS).

Compliance with Regulations

Micrio is committed to complying with relevant regulations, including the General Data Protection Regulation (GDPR). Our hosting providers (Cloudflare and previously Google) are GDPR compliant, ensuring that data protection requirements are met throughout our supply chain.

Regular Security Reviews and Audits

Micrio conducts regular security reviews to evaluate the effectiveness of our security controls. These reviews are performed twice per year and help identify areas for improvement in our security posture.

Third-party Security Assessments

In addition to internal reviews, Micrio leverages the security assessments performed by our hosting providers. Cloudflare undergoes regular third-party audits and has achieved numerous certifications, including ISO 27001, 27701, 27018, PCI DSS 4.0, FedRAMP Moderate, and SOC 2 Type II.

9. Operational Security

Change Management Procedures

Micrio implements change management procedures to ensure that changes to the system are properly reviewed, tested, and approved before implementation. This helps prevent the introduction of security vulnerabilities or service disruptions.

Asset Inventory Management

Micrio maintains an inventory of all assets used in the delivery of our service. This inventory is reviewed every six months to ensure it remains accurate and complete. This practice helps ensure that all assets are properly secured and that no unauthorized or unmanaged assets are present in the environment.

Security Awareness and Training

Micrio ensures that all personnel involved in the development and operation of the service receive appropriate security awareness training. This training helps staff recognize and respond to security threats effectively.

Vendor Management Security

Micrio carefully selects and manages vendors to ensure they meet our security requirements. We leverage vendors with strong security practices and compliance certifications, such as Cloudflare, to enhance the overall security of our service.

10. Privacy Practices

Privacy Policy Overview

Micrio's privacy policy outlines our commitment to protecting user privacy and describes how we collect, use, and protect personal information. The policy is regularly reviewed and updated to ensure it remains accurate and compliant with relevant regulations.

User Data Handling Practices

Micrio collects only the minimum amount of personal information necessary to provide our services. This includes:

• User-chosen username
• Email address (used only for account verification and forgotten password requests)
• Uploaded images, and its inherent added image content ("Storytelling" and its assets)

Data Subject Rights and Procedures

Micrio respects the rights of data subjects under applicable privacy regulations. Users can request access to their personal information, correction of inaccurate information, and deletion of their data in accordance with our privacy policy.

Third-party Data Sharing Policies

Micrio does not share user data, information, or uploaded images with any third parties. We are committed to maintaining the confidentiality of user information and only use it for the purposes described in our privacy policy.

11. Business Continuity and Disaster Recovery

Micrio's architecture is built upon Cloudflare's highly resilient global infrastructure, which provides inherent redundancy and fault tolerance. Our Business Continuity and Disaster Recovery (BC/DR) strategy leverages these capabilities.

• Infrastructure Resilience: Cloudflare's platform is designed for high availability, automatically routing traffic away from failures and utilizing multiple data centers.
• Data Redundancy: Cloudflare services (D1, R2) include built-in data redundancy and backup mechanisms, ensuring data durability and availability.
• Serverless Architecture: The use of Cloudflare Workers minimizes single points of failure associated with traditional server management.

While Micrio maintains operational procedures for service monitoring and incident response, our primary BC/DR approach relies on the robust, distributed nature of the underlying Cloudflare platform to ensure service continuity and rapid recovery in the event of major disruptions.

12. Contact Information

Security Contact Details

For security-related inquiries or to report security concerns, please contact:

Email: security@micr.io

Reporting Security Concerns

If you discover a potential security vulnerability or have concerns about the security of Micrio's services, please report them promptly to security@micr.io. We take all security reports seriously and will investigate them thoroughly.

Support Channels

For general support inquiries, please contact:

Email: support@micr.io

Appendix

Glossary of Terms

• CDN (Content Delivery Network): A distributed network of servers that delivers web content to users based on their geographic location.
• DDoS (Distributed Denial of Service): An attack where multiple compromised systems are used to target a single system, causing a denial of service.
• GDPR (General Data Protection Regulation): A regulation in EU law on data protection and privacy for all individuals within the European Union.
• ISO 27001: An international standard for information security management systems.
• TLS (Transport Layer Security): A cryptographic protocol designed to provide communications security over a computer network.

References to Relevant Standards

• ISO/IEC 27001:2013 - Information Security Management Systems
• GDPR (Regulation (EU) 2016/679)
• NIST Cybersecurity Framework

FAQ for Common Security Questions

Q: How is my data protected when using Micrio? A: Micrio protects your data through multiple layers of security, including encryption at rest and in transit, strict access controls, regular security reviews, and hosting on Cloudflare's secure infrastructure.

Q: Where is my data stored when using Micrio? A: Micrio stores data in Cloudflare's Western Europe data centers, ensuring data residency within that region.

Q: How does Micrio handle security incidents? A: Micrio has established incident response procedures to address security incidents promptly and effectively. In the event of an incident affecting customer data, affected customers will be notified in accordance with contractual obligations and applicable regulations.

Q: What happens to my data if I delete my Micrio account? A: When you request account deletion, Micrio will permanently remove your account and all associated records and images within 30 days.

Q: Does Micrio share my data with third parties? A: No, Micrio does not share your data, information, or uploaded images with any third parties.