FAQ
Account (6)
All security related SMS/text messages (PIN codes, security alerts…) are sent through SMS/text messages even if you did not check the box on your profile. This to ensure you are made aware as soon as possible of important information related to your account.
Whereas many services offer this ‘convenience’, we don’t. Re-use of user/pasword is one of the major reasons why your account could be hacked. For example, if you re-use your user/password that you have on a site, and if there is a data breach on this site, then hackers will try to connect to other web sites using the same credentials, and take over your data.
With our service, we generate a random username that is very unlikely going to exist somewhere else. Again, this is to re-enforce the security of your data
As a preventive measure, our system will lock accounts after 15 minutes changing your password or email address if you do not validate this change by clicking on the link we send you by email.
In other words, after changing your email address or password, you have 15 minutes to validate this change by clicking on the link we send you by email.
If you forget to click on the link within 15 minutes, and your account gets locked, re-open the email we sent, go to the bottom and click on the button named ‘Unlock Account’. This button will expire after 1 week.
If you did not initiate this change and your account gets locked, please contact us. In any case, and because your account was locked, your data is safe.
On the login page, click on ‘Lost your password? Click here’.
You will then be redirected to a page where you will have to provide your username/identifier.
If this identifier matches our database, you will receive an email with a temporary password and a link that will bring you to a page where you will be able to update your permanent password.
The system will add their username and temporary password in the email they will receive. They will have to follow the instructions we provide them so they can login and create a permanent password.
Yes, it is possible. Though, there are a few things to be aware of since a person can be a subscriber but also eventually a contact for other people in other subscriptions:
- First, we check if there is a subscription attached to this email. If it is the case then we use this Subscriber username
- If not, we check if there is an Insider with this email. If there is one (and only one) then we use this Insider username.
- If not, we check if there is a Guardian with this email. If there is one (and only one) then we use this Guardian username.
- If not, we check if there is a Recipient with this email. If there is one (and only one) then we use this Recipient username.
- If not, we do nothing.
Contacts (2)
In order to avoid any ‘conflict of interest’, or miss-use of our system, and because you are not supposed to login into their account, the password of Recipients and Guardians are not communicated to the subscribers. There is no need for that. Our system will take care of the contacts credentials communication.
The system will add their username and temporary password in the email they will receive. They will have to follow the instructions we provide them so they can login and create a permanent password.
Files & Documents (4)
All data and documents are stored regionally within Amazon Web Services (AWS) data centers. Here is the list of the data centers we use per region that are determined based on where you reside. This list will be updated as we roll-out new regions:
- For North, Central and South America: ‘us-east-1’ AWS region located in North Virginia, United States of America, with replication in ‘us-west-2’ AWS region located in Oregon, United States of America
- For Europe (western, central and eastern): ‘eu-west-1’ AWS region located in Dublin, Ireland, , with replication in ‘eu-west-3’ AWS region located in Paris, France
- For Africa: TBD (not available yet)
- For Middle-East: TBD (not available yet)
- For Asia: ‘ap-south-1’ AWS region located in Mumbai, India, , with replication in ‘ap-southeast-1’ AWS region located in Singapore
- For any country in Oceania: TBD (not available yet)
For plans with the ‘enhanced security’ feature, if the subscriber is in this situation, s/he needs to upload the file again with a new Question/Answer couple. We, at Need2TellYou, cannot do anything about it.
Some plans benefit from document enhanced security. In this case, you have the option to improve the encryption of your document with a dedicated password, known as the ‘Answer’. Documents using this option have a Question and Answer you have to fill when uploading them. See Question/Answer FAQ related to this topic to know more about it.
If a document doesn’t use the Question/Answer (enhanced security feature), the document is still encrypted on our servers. The only difference is that with the Question/Answer just you and your recipient can open the file.
We cannot access the content of the documents that have been loaded under a plan with ‘Enhanced Document Security’. And it’s something very important to remember and have in mind. If you lose or don’t remember the answer of a security question (see Question/Answer in FAQ for more details), nobody will be able to decrypt the documents. Even us at Need2TellYou. If the subscriber is in this situation, s/he needs to upload the file again with a new Question/Answer couple.
General Questions (5)
All security related SMS/text messages (PIN codes, security alerts…) are sent through SMS/text messages even if you did not check the box on your profile. This to ensure you are made aware as soon as possible of important information related to your account.
Whereas many services offer this ‘convenience’, we don’t. Re-use of user/pasword is one of the major reasons why your account could be hacked. For example, if you re-use your user/password that you have on a site, and if there is a data breach on this site, then hackers will try to connect to other web sites using the same credentials, and take over your data.
With our service, we generate a random username that is very unlikely going to exist somewhere else. Again, this is to re-enforce the security of your data
Please consult our Privacy Policy to get the answer to this question, in the ‘Terms’ section of the menu.
On the login page, click on ‘Lost your password? Click here’.
You will then be redirected to a page where you will have to provide your username/identifier.
If this identifier matches our database, you will receive an email with a temporary password and a link that will bring you to a page where you will be able to update your permanent password.
Yes, it is possible. Though, there are a few things to be aware of since a person can be a subscriber but also eventually a contact for other people in other subscriptions:
- First, we check if there is a subscription attached to this email. If it is the case then we use this Subscriber username
- If not, we check if there is an Insider with this email. If there is one (and only one) then we use this Insider username.
- If not, we check if there is a Guardian with this email. If there is one (and only one) then we use this Guardian username.
- If not, we check if there is a Recipient with this email. If there is one (and only one) then we use this Recipient username.
- If not, we do nothing.
Privacy and Security (18)
All security related SMS/text messages (PIN codes, security alerts…) are sent through SMS/text messages even if you did not check the box on your profile. This to ensure you are made aware as soon as possible of important information related to your account.
In order to avoid any ‘conflict of interest’, or miss-use of our system, and because you are not supposed to login into their account, the password of Recipients and Guardians are not communicated to the subscribers. There is no need for that. Our system will take care of the contacts credentials communication.
Whereas many services offer this ‘convenience’, we don’t. Re-use of user/pasword is one of the major reasons why your account could be hacked. For example, if you re-use your user/password that you have on a site, and if there is a data breach on this site, then hackers will try to connect to other web sites using the same credentials, and take over your data.
With our service, we generate a random username that is very unlikely going to exist somewhere else. Again, this is to re-enforce the security of your data
A couple of reasons why.
In order to ensure maximum security your password needs to be strong enough, with at least 8 characters. Then, we make sure your password is not part of a list of common passwords that are easily hacked. We have an official list of 1,000,000 of these passwords that can be found worldwide. Your password should not be part of this list.
We recommend you use the password generator on the page to get a random secure password.
Keeping track of IP Addresses helps 3 purposes:
- Optimize the performance of our system by better understanding where customers come from.
- Improve user experience.
- Enhance security of the platform.
In order to improve security, we ask for a PIN code if:
- it is the first time you login from a new device or computer, or
- after 6 months on the same computer, or
- if you logged in with a new IP address on the network
If one of these conditions is met, we show the pop up about your preference to receive the code (SMS or email), and send it to you, so you can enter it in the following popup that will appear.
This is a way to ensure you are the person trying to login.
All data and documents are stored regionally within Amazon Web Services (AWS) data centers. Here is the list of the data centers we use per region that are determined based on where you reside. This list will be updated as we roll-out new regions:
- For North, Central and South America: ‘us-east-1’ AWS region located in North Virginia, United States of America, with replication in ‘us-west-2’ AWS region located in Oregon, United States of America
- For Europe (western, central and eastern): ‘eu-west-1’ AWS region located in Dublin, Ireland, , with replication in ‘eu-west-3’ AWS region located in Paris, France
- For Africa: TBD (not available yet)
- For Middle-East: TBD (not available yet)
- For Asia: ‘ap-south-1’ AWS region located in Mumbai, India, , with replication in ‘ap-southeast-1’ AWS region located in Singapore
- For any country in Oceania: TBD (not available yet)
Because confidentiality is cornerstone to our service, we have implemented several layers of security to protect your data. Here is a list of what we do to keep your data safe:
– We use the AES_256 algorithm which is a data/file encryption technique that uses a 256-bit key to encrypt and decrypt data or files. It is one of the most common and reliable encryption method.
– All sensitive data are encrypted at rest and in transit, meaning for storage and while being transmitted over the network.
– Your documents and encryption keys go through 3 different rounds of encryption, with a different algorithm each time.
– During the upload process, your documents are split in various file chunks of random size, each file is stored in a different location picked randomly, with an encoded filename, and a different encryption key for each chunk.
– For plans with the ‘enhanced security’ option, your documents are also protected by an additional layer through a Question/Answer capability that is the last security barrier. See a specific FAQ entry on this topic.
– We use quality SSL certificates to encrypt data transmitted over the network between your device and our servers.
– We keep an audit trails of all changes happening to your account settings (account, files, contacts, schedule).
– We keep an audit trail of all access to your documents stored on our servers (who, what, when).
– Documents life-cycle (upload, download and delete) are managed through a relay server preventing direct access to your documents.
– Strong password and 2FA authentication is offered to all users of our service. All platform administrative accounts use 2 FA. See specific 2FA FAQ topic for more information. We highly recommend you set up 2FA to strengthen the security of your account.
– We perform daily backups of the platform and we keep them for a month, then keep a monthly backup, and finally an annual one.
– We replicate all your documents to another regional data center to prevent risk of local ‘disaster’.
– Firewall, malware protection and real-time threat prevention software run on our website, with daily reports.
– We analyze user behaviors to alert on suspicious activity.
– Last but not least, we periodically work with ethical hackers that perform penetration testing on our web site, in order to identify potential security flaws.
Please consult our Privacy Policy to get the answer to this question, in the ‘Terms’ section of the menu.
Two factor authentication (aka 2FA) is a second layer of security for your account. If you select this option, after login you will be asked to provide a code that is generated by your tablet or smartphone app, valid only for 30 seconds. Any app using the TOTP algorithm can work with our website (e.g Google Authenticator, Authy, 1Password, Lastpass…). This method of signing in to websites relies on something you know and something in your possession. That is why it is referred to as two-factor – because two factors are involved in authenticating you. While 2FA does improve security, it is not foolproof.
If you want to know more about 2FA you can read the Wikipedia page here or the Investopedia page here.
For plans with the ‘enhanced security’ feature, if the subscriber is in this situation, s/he needs to upload the file again with a new Question/Answer couple. We, at Need2TellYou, cannot do anything about it.
Some plans benefit from document enhanced security. In this case, you have the option to improve the encryption of your document with a dedicated password, known as the ‘Answer’. Documents using this option have a Question and Answer you have to fill when uploading them. See Question/Answer FAQ related to this topic to know more about it.
If a document doesn’t use the Question/Answer (enhanced security feature), the document is still encrypted on our servers. The only difference is that with the Question/Answer just you and your recipient can open the file.
As a preventive measure, our system will lock accounts after 15 minutes changing your password or email address if you do not validate this change by clicking on the link we send you by email.
In other words, after changing your email address or password, you have 15 minutes to validate this change by clicking on the link we send you by email.
If you forget to click on the link within 15 minutes, and your account gets locked, re-open the email we sent, go to the bottom and click on the button named ‘Unlock Account’. This button will expire after 1 week.
If you did not initiate this change and your account gets locked, please contact us. In any case, and because your account was locked, your data is safe.
On the login page, click on ‘Lost your password? Click here’.
You will then be redirected to a page where you will have to provide your username/identifier.
If this identifier matches our database, you will receive an email with a temporary password and a link that will bring you to a page where you will be able to update your permanent password.
The system will add their username and temporary password in the email they will receive. They will have to follow the instructions we provide them so they can login and create a permanent password.
We cannot access the content of the documents that have been loaded under a plan with ‘Enhanced Document Security’. And it’s something very important to remember and have in mind. If you lose or don’t remember the answer of a security question (see Question/Answer in FAQ for more details), nobody will be able to decrypt the documents. Even us at Need2TellYou. If the subscriber is in this situation, s/he needs to upload the file again with a new Question/Answer couple.
The Question/Answer feature is related to the ‘enhanced security’ option that some plans have. People subscribing to a plan having this feature available will have the option to protect their document with an additional password, only he or she and the recipient will know. This password is also known as the ‘Answer’ hereafter.
So, in order to add another security protection, and for each file the subscriber will upload, a secret Question/Answer will have to be provided.
Basically, the subscriber writes in plain text a Question the recipient(s) should know the answer to. For example, what was my mother’s maiden name? Or, which year did we go on vacation for the first time together? The question needs to be difficult to guess by someone else and easy for your recipient.
To increase the chances for the recipient to guess the Answer, this answer needs to be one word only, and cannot be part of the question. For example, someone cannot write a question as ‘Just type the word GUESS in the next field’ and have ‘GUESS’ as THE answer.
In the background, we will use this answer/word to create a more robust and complex password that will encrypt some keys and some data. The answer is not case sensitive, meaning it is not important if you type in upper case or lower case.
We will never store this answer on our servers for long term storage. It will just transit over the network and be used for encryption. And then it is deleted. That means, that we at Need2TellYou can never read the subscriber’s documents and see their contents. It is only between the subscriber and his/her recipients. That is a key confidentiality point.
Yes, it is possible. Though, there are a few things to be aware of since a person can be a subscriber but also eventually a contact for other people in other subscriptions:
- First, we check if there is a subscription attached to this email. If it is the case then we use this Subscriber username
- If not, we check if there is an Insider with this email. If there is one (and only one) then we use this Insider username.
- If not, we check if there is a Guardian with this email. If there is one (and only one) then we use this Guardian username.
- If not, we check if there is a Recipient with this email. If there is one (and only one) then we use this Recipient username.
- If not, we do nothing.