Evidence.com customers have varying risk profiles and different security needs. Many of the access control features can be enabled or disabled by customers as needed, or can be changed to meet a specific level of risk. The default settings for these security features were chosen to provide a strong level of security, while still maintaining flexibility and convenience. Customers are encouraged to evaluate these features and align them with their unique needs.
- Customisable password length and complex password requirements
- Customisable failed login limit and lockout duration
- Enforced session timeout settings
- Mandatory challenge questions when authenticating from new locations
- Multi-factor authentication options for user login and prior to administrative actions (one time code via SMS or phone call-back)
- Restrict access to defined IP ranges (limit access to approved office locations)
Authorisation & Permissions
- Granular role-based permission management
- Application permission management (for example, allow specific users to use the web-based interface, but not a mobile application)
- Integration with directory services for streamlined and secure user management
Auditing and User Reporting & Management
- Detailed, tamper-proof administrator and user activity logging
- Intuitive administration web portal to manage users, permissions and roles
- Intra-agency, inter-agency and external evidence sharing without data transfer, data duplication, physical media or email
- Detailed chain-of-custody logging when sharing
- Revoke access to previously shared content
- Prevent a recipient of shared content from downloading or re-sharing evidence
Evidence.com includes features to ensure the integrity and authenticity of digital evidence. These features ensure the evidence meets chain-of-custody requirements and can be proven to be authentic and free from tampering.
- Forensic fingerprint of each evidence file using industry standard SHA hash function. Integrity is validated before and after upload to ensure no changes occurred during transmission.
- Full tamper-proof evidence audit records. Logs the when, who and what for each evidence file. These records cannot be edited or changed, even by account administrators.
- Original evidence files are never altered, even when derivative works (video segments) are created.
- Deletion protection, including deletion approval workflows, deletion notification emails and a deletion remorse period to recover accidentally deleted evidence files.
Evidence data is encrypted in transit and while at rest in storage. Axon maintains mature, audited encryption key management procedures.
Data Encryption in Transit:
- FIPS 140-2 validated: Axon Cryptographic Module (cert no. 2878)
- TLS 1.2 implementation with 256-bit connection, RSA 2048-bit key, Perfect Forward Secrecy
Evidence Data Encryption at Rest:
- CJIS Compliant, NSA Suite B 256-bit AES encryption
Shared Security Responsibility
It is important for customers to understand the measures that Axon has taken to secure Evidence.com, as customers inherit our advanced security capabilities, controls and programs. This security inheritance enables customers to achieve levels of data security that far exceed what is feasible in on-premise or hybrid solutions. However, it is also critically important for customers to understand and implement the security practices that are within their responsibility and control.
Fortunately, we are here to help. In addition to the customisable Evidence.com security features, Axon has developed numerous resources to provide guidance and instruction to ensuring the security of data retained in Evidence.com.
Reporting Potential Security Issues or Vulnerabilities
If you know or suspect security issues with an Evidence.com account or if you believe you've discovered a security vulnerability on Evidence.com or with an Axon product, please email firstname.lastname@example.org with a thorough explanation of the issue or vulnerability. Any sensitive testing results or information should be transmitted to Axon using an encrypted communication channel. Our PGP key is available here: Axon Information Security (36A266CE) – Public
We ask that you do not disclose any vulnerability information publicly or to any third party without coordination with Axon's Information Security team. Axon is committed to working with customers and the security researcher community to validate and address reported potential vulnerabilities. Further information regarding this commitment is outlined in Axon’s Penetration Testing & Vulnerability Disclosure Guidelines.
All non-security-related issues should be directed to Axon Customer Support.