9. API Security FAQ

  • Confidentiality

  • Availability

    • Availability SLA

    • Redundancy

    • BCP (Business Continuity Plan) / DRP (Disaster Recovery Plan)

    • Alerting

    • Service locations

  • OPSWAT Compliance and Certifications

    • ISO 27001 Certification

    • SOC2 Certification

    • Independent penetration testing

    • Secure SDLC at OPSWAT


  • Questions about the data OPSWAT collects, how OPSWAT uses the customer’s data, sharing the customer’s data with Service Providers, and Data Retention Policies are included in the OPSWAT Privacy Policy. OPSWAT uses HTTPS for communication and AES 256 for storage.

  • When uploading files in private mode and requesting to run Deep CDR, the file’s sanitized version will be available to download for 24 hours. Once the file is expired to download, the sanitized version of the file is deleted permanently. Sanitized versions can be expired and deleted before 24-hour expiration by calling the delete endpoint.

  • For all the paid customers, MetaDefender Cloud provides the ability to scan files privately. This private scanning feature is available via all interfaces, including the MetaDefender Cloud APIs. All files scanned in private mode will be permanently removed as soon as the analysis is completed, except metadata such as scan results will remain available in the MetaDefender Cloud.

  • Data in transfer

    • REST API use HTTPS with TLS 1.3.

    • Enterprise licensing customers can utilize Mutual TLS (mTLS) Authentication for communication.

    • Any internal service communicates with other services through internal (not exposed to the Internet) load balancers.

  • The organization’s administrator can set the policy to enforce a private scanning option for all usages from the organization for the enterprise licensing customers.

  • Data in use

    • Access to data is restricted to limited authorized personnel (CloudOps).

  • Access control

    • OPSWAT leverages multi-factor authentication (MFA) with the least privilege principle.

  • Access log

    • The access log is pseudonymized before it is stored with AES 256 encryption on the data warehouse or data lake.


Availability SLA

  • 99.5% for Commercial licensing plan. Internal SLO (Service Level Objective) is 99.9%. Real-time availability is published at trust.opswat.com, and anyone can subscribe for any production issue.

  • 99.9% for Enterprise licensing plan. Real-time availability is published at trust.opswat.com, and anyone can subscribe for any production issue.

  • We do not currently provide SLA for other metrics, but please reach out to us if it is essential. Also, refer to our TOS for more information.


  • All systems accepting user traffic are set up to use auto-scaling. More resources are provisioned as traffic increases (scale-out).

BCP (Business Continuity Plan) / DRP (Disaster Recovery Plan)

  • The service uses High Availability infrastructure with backup.

  • OPSWAT provides the following recoverability SLAs depending on the Customer licensing plan:

    • For the Commercial licensing plan, OPSWAT provides an RTO of 24 hours.

    • For Enterprise licensing plan, OPSWAT provides an RTO of 2 hours.

    • In a situation when disaster recovery is required, new infrastructure will be created in different regions with automated deployment. OPSWAT does not have hot backup servers but cold backups.

  • Data is backed up daily as snapshots and backups are kept for one week.

  • DR testing and tests reports:

    • Testing is performed twice a year.

    • Tests reports are available by request.


Service locations

  • Where is the system located? (Country(s) - Cloud / Hybrid / On-Premise)

    • Cloud: Customers can select between Europe (Germany) or the USA (North America). OPSWAT values the experience and privacy of our users. Our service is provided by servers located in the following locations. Please consult with the product team if you would like to see a service closer to the customer’s region.

    • Response time: OPSWAT is continuously monitoring the response time for its services. You can find the average scan times on Metadefender Cloud Statistics

OPSWAT Compliance and Certifications

For the latest and complete list of OPSWAT Compliance and Certifications, visit:


ISO 27001 Certification

OPSWAT has achieved ISO/IEC 27001:2013 certification. An independent examination of the OPSWAT Information Security Management System (ISMS) and OPSWAT MetaDefender and MetaAccess services by Schellman & Company, LLC confirmed our commitment to security and regulatory compliance as part of the certification evaluation.

SOC2 Certification

SOC for Service Organizations reports is designed to help service organizations that provide services to other entities, build trust and confidence in the service performed and controls related to the services through a report by an independent CPA. SOC 2 controls are evaluated at a Service Organization that is relevant to Security, Availability, Processing Integrity, Confidentiality or Privacy related to systems the service organization uses to process users’ data and the confidentiality and privacy of the information processed by these systems.

  • OPSWAT can share SOC2 Type 1 report by request

Independent penetration testing

  • OPSWAT is performing various external independent penetration testing at least once a year or whenever significant changes are made.


OPSWAT follows the Agile Software Development Lifecycle. On top of the agile process, we have added OWASP SAMM as the framework for the Secure Software Development Life Cycle and OWASP ASVS as the framework for Application Security and Verification.

Refer to Secure SDLC at OPSWAT for more information.