CleanShot Security

Last update: October 1, 2024

At CleanShot, we take privacy seriously. We are committed to ensuring the security of our development process and CleanShot Cloud service. The company has achieved ISO 27001 compliance and we have implemented several security measures to ensure that your data is safe.

Compliance

ISO 27001

CleanShot is certified under the ISO 27001 standard. You can download our certificate.

GDPR

All of our internal processes are designed with privacy in mind. We ensure that we collect the minimum amount of data necessary to provide our services, process it with the necessary security measures, and delete it when it is no longer needed. Read our privacy policy for more information.

MVSP

Minimum Viable Secure Product is a security baseline for enterprise-ready products and services based on Dropbox and Google's vendor security assessment, with contributors from the largest tech companies. We adhere to MVSP controls in addition to the requirements of the aforementioned standards.

Secure Development

Access Control

CleanShot treats security as a top priority. Our access granting process is designed to follow the principle of least privilege and we authenticate using SSO with hardware tokens as a mandatory second factor.

Device Security

We standardize on macOS devices. All devices are encrypted, and secure device configuration is enforced.

Development Process

We use a pull-request based approach with code reviews and CI/CD pipelines. Every change is tested with automated tests, dependencies are checked for known vulnerabilities, and the code is scanned for security issues.

External Penetration Testing

We regularly perform penetration tests of our products, services, and cloud infrastructure. We use a third-party security company to perform these tests and we address all issues found in a timely manner.

macOS App Security

Code Signing

CleanShot app is signed with Apple Developer ID and scanned for malware using Apple's notarization service. Updates are signed with an additional key to ensure that they have been released by us.

Hardened Runtime

We use Hardened Runtime which prevents code injection, dynamically linked library (DLL) hijacking and process memory space tampering.

Release Process

Each update is thoroughly tested and the release process can only be performed by selected team members.

Infrastructure Security

Hosted on AWS

Our infrastructure is hosted on AWS, which maintains internationally recognized compliance certifications (including ISO 27001 and SOC 2). They maintain industry-leading security practices and provide best-in-class environmental and physical protection for the services and infrastructure. Learn more about AWS security on their Cloud Security page. We use network firewalls and WAFs with rate limiting to prevent brute force attacks.

Data Encryption

All data is encrypted at rest and in transit. We use AWS KMS for encryption and AWS S3 for storage. We regularly scan our TLS configuration and ensure that our services only allow HTTPS traffic with HSTS enabled.

Separation of Environments

Non-production environments are separated from production, both in terms of network and access control. AWS Organization is used for account management to ensure proper separation. Production data is never used for testing purposes.

Audit Logging

All AWS actions are logged in CloudTrail. We make sure to collect logs from our services to ensure proper auditing without logging sensitive data.

High Availability

Our infrastructure is designed for high availability. We eliminate single points of failure and use multiple availability zones to improve reliability. Data is backed up to multiple locations for at least 30 days, and we have disaster recovery plans that are tested regularly.

Infrastructure as Code

We use Infrastructure as Code solutions to manage our infrastructure. This allows us to version control our infrastructure and ensure proper secure configuration.

Subprocessors

We perform due diligence on all data processors and minimize the number of third parties involved. A list of our subprocessors can be found here.

Organization Security

Personnel

CleanShot has a small, highly technical team that treats security as a top priority. Employees and contractors sign an NDA, follow security policies and participate in role-specific internal security training.

Incident Response

We have established procedures for responding to security and privacy incidents related to our products and services. We publish a point of contact for security researchers.

Risk Management

We conduct regular risk assessments and internal evaluations of our information security management system, our infrastructure, and all internal processes.

Security Vulnerability Disclosure

Make sure to read our Responsible Disclosure Policy before reporting any security vulnerabilities. If you believe you have found a security vulnerability in any CleanShot product, or have any other security concerns, please contact us at security@cleanshot.com.