Security & Compliance

Content Snare is built for teams who take security and client privacy seriously.

Your data sits behind the same controls trusted by leading financial and professional service firms.

ISO 27001 certified. Continuously monitored. Per-tenant encryption. Hardened infrastructure.

The security of your and your clients’ data is the most important part of what we do.

Introduction

Content Snare is a secure client portal used by accounting firms, law firms, mortgage brokers, and financial services companies to collect documents, files and information from clients.

Your data sits behind the same controls trusted by leading financial and professional service firms.

Clients submit documents directly through a secure portal with per-firm encryption keys. No documents pass through email. No shared folder links to manage.

Every part of the platform is built with security at its core. The key measures are outlined below.

Why a secure client portal matters

Professionals who collect sensitive documents from clients face a choice: use email, or use a purpose-built secure document portal.

Email is the default, but it's the wrong tool for the job. Documents sent as attachments sit unencrypted in inboxes, get forwarded to the wrong person, and scatter across threads that are impossible to track. Shared folder links (Dropbox, Google Drive, OneDrive) are marginally better, but offer no workflow: no reminders, no progress tracking, no way to reject an incorrect document and request a correction.

Content Snare replaces document requests via email with a secure document upload portal where clients upload directly. Files are encrypted in transit and at rest. No documents pass through email. No shared folder links to manage. No risk of sending confidential files to the wrong recipient. Clients get automatic reminders, auto-save, and a clear view of what they still need to provide.

ISO 27001 Certification

Content Snare is ISO 27001 certified - the global gold standard for information security.

This means our systems, policies, and processes are built to protect your data at every level, and have been independently audited by accredited third-party specialists. It’s not just a badge, it’s proof we take your security seriously.

For firms using Content Snare as their secure client portal to collect tax returns, identity documents, and financial statements, ISO 27001 certification provides assurance that the platform meets the highest standard for information security management.

Trust Center

To provide complete transparency and assurance, you can view our security controls, policies, and compliance certifications in our Trust Center.

This centralized hub gives you real-time access to our security posture, including compliance with industry standards and our ongoing commitment to safeguarding your data.

You may also see uptime and reliability on our status page.

User Authentication

Logged in users can enable two-factor authentication (2FA) to strengthen account security and prevent unauthorized access. Account administrators also have the option of enforcing 2FA for all users within their organization, adding a layer of security before account access is granted.

Encryption

All data in transit is encrypted between source and destination using SSL/TLS with RSA 2048 key encryption. This includes data between the client application and the API server, and the API server and the database. Encryption at rest is also applied to the database.

In addition, all passwords are salted and encrypted to protect against unauthorized access. Stored answers are encrypted separately, with a unique encryption key assigned to each company.

Data Centres

Our infrastructure is provided by Amazon Web Services (AWS), an industry-standard in hosting. Like us, they treat security as a top priority. You can read about their superior visibility, control and permissions here.

Network isolation

All network infrastructure, with the exception of the load balancer, resides within a virtual private subnet. This ensures that only the load balancer is Internet-facing.

The virtual private subnet ensures that direct communication from the client application to the server, database and storage servers cannot be achieved, thus increasing security through layers of defense.

All links to the stored files are served using temporary time-based signatures allowing the file to be indirectly accessed only after authentication.

Firewalls

Firewalls sit between the Internet and the load balancer and the load balancer and the API server to create a DMZ between the Internet and the virtual private subnet.

A firewall is also located between the API server and the database and file storage servers to ensure that only whitelisted IP addresses have direct access to the database and storage servers.

Middleware on the API server also provides a level of protection by implementing additional security protocols such as automated IP address throttling and temporary IP address blocklisting.

Authentication

All database read/write actions require authentication. Authentication is processed on the server during the login handshake and a short lived access token is provided to the client application allowing access to authenticated API requests. The access token is renewed regularly (at less than 5 minute intervals) to remove the risk of stolen authentication keys.

Role based authentication is also undertaken by the API server for each request and only operations allowed by the specific role will be processed by the API server. In addition, company based authentication is performed to ensure that a user from one company cannot access or write data to another company entity.

To protect against common password attacks, the system maintains a real time list of the most commonly used and compromised passwords. Users attempting to sign up or update their credentials with weak passwords (such as password123) will be required to choose a stronger alternative. This measure significantly reduces the risk of brute force or credential-stuffing attacks.

Throttling

The system enforces throttling on repeated authentication failures to protect against brute force attacks and unauthorized access attempts. Incorrect password or pincode attempts trigger increasing delays between each attempt to significantly slow down guessing attempts. If multiple incorrect attempts continue, access to the account is temporarily blocked.

This security measure is enforced on an account basis rather than by IP — even if an attacker uses multiple devices, our system will still detect and restrict repeated login attempts. This is crucial for pincode security because a finite number of possible combinations cannot be exploited through rapid guessing.

If an account is blocked due to too many failed login attempts, we provide a secure method for users to regain access. Affected users will be required to verify their identity through our support team, who will guide them through the reactivation process to make sure the account remains in the rightful owner's hands.

Password Management

Passwords are never stored in plain text within the database. An individual hash and salt is stored for each user ensuring compromise of one password will not allow other passwords to be obtained.

Passwords are never stored in any logs.

Development Framework

All server side software is scanned in real time to test for common and 0-day security vulnerabilities within the software framework and libraries used. All vulnerable libraries are replaced or patched to ensure the vulnerabilities are removed 

The latest framework versions are also used on both client and server applications ensuring the latest security principals are adopted.

Staff Accessibility

Employees and contractors use a password manager that enforces strong passwords. They are only authorized to access data that they need to carry out their duties.

Multi-factor authentication is enforced on all platforms that allow it.

For assistance in setting up accounts, you may grant our support staff access. This can only be granted by an administrator of your account, and can be revoked at any time.

Logging & Alerts

Content Snare is continually monitored for downtime, errors and access. Logs are maintained for analysis and debugging. Critical alerts are flagged with our engineering team immediately.

Backups & Disaster Recovery

Regular backups are distributed across several physical locations. Both files and database can be restored to a specific point in time over the last 14 days, or a full recovery can be initiated from a snapshot.

Our backup and recovery procedure ensures a minimum disruption of service in the event of a total failure.

Data Protection & Privacy

We are committed to data production regulatory requirements (such as GDPR) and privacy.

Our privacy policy covers:

• Your privacy rights
• How we collect and use your personal data
• Cookie policy

You can read about our data protection in our Privacy Policy, Data Processing Agreement and End-user License Agreement.

We actively monitor regulatory guidance changes to ensure we continue protecting your data.

Questions and Support

If you have any questions, please contact us.

Frequently Asked Questions