Security Policy for Metro 2 File Viewer

At The Service Bureau, we are committed to ensuring the security and privacy of our customers using Metro 2 File Viewer, a desktop application for Microsoft Windows designed to view Metro 2 files. This policy outlines our security measures to protect your data and address common security concerns.

Data Storage and Encryption

  • Local Storage: Metro 2 File Viewer only reads existing Metro 2 files. Client data is not stored outside an existing Metro 2 file.
  • Temporary Files: Any temporary files containing personally identifiable information (PII) are encrypted and automatically deleted when the software closes or after specific events, minimizing data exposure.
  • No Server Storage: We do not store consumer or customer data on our servers, except for minimal information (company name and an authentication identifier) required for licensing and authentication.

Secure Data Transmission

  • SFTP for Transfers: All data transmissions to and from Metro 2 File Viewer use Secure File Transfer Protocol (SFTP) over SSH, ensuring end-to-end encryption. We use the EnterpriseDT.Net library (edtFTPnet/PRO) with username/password authentication and the following cryptographic algorithms:
    • Ciphers: aes128-gcm, aes256-gcm (preferred for authenticated encryption), aes128, aes256 (likely CBC mode), 3des-168-SHA (included for legacy compatibility but not recommended).
    • Key Exchanges: Diffie-Hellman (DH) with SHA, SHA256, SHA384; Elliptic Curve Diffie-Hellman (ECDH) with SHA, SHA256, SHA384.
    • MACs: HMAC-SHA1, HMAC-SHA2-256, HMAC-SHA2-512 (used for data integrity).
    • Host Key Algorithms: RSA (preferred), DSA (supported for compatibility).
  • Metro 2 Aggregation: For customers opting into our Metro 2 stacking service, Metro 2 files are sent to us via SFTP, aggregated with other customers’ data, and securely forwarded to credit bureaus. No consumer data is stored on our servers unless explicitly sent for this purpose.

Support Data Handling

  • Secure Support Files: Files sent for support are transmitted within password-protected ZIP files. Support files are stored temporarily on our servers and automatically deleted after 7 days using secure deletion methods.
  • Data Minimization: We do not collect consumer data unless explicitly provided by the customer for support or Metro 2 aggregation.

Application Security

  • Binary Protection: The application binary is secured through obfuscation and encryption of constant strings to protect hardcoded keys and sensitive logic.

Updates and Patching

  • Automatic Updates: Metro 2 File Viewer uses an App Launcher to automatically update the application on launch. Each file is hash-verified to ensure integrity, and outdated or compromised files are updated or deleted.
  • Dependency Management: We regularly monitor and update third-party components (e.g., SQLite, SFTP, compression libraries) for security vulnerabilities. Critical bug or security fixes are typically released within a few business days.

Incident Response and Logging

  • Event Logging: SFTP transmission activity is logged to a text file on the client's machine to support troubleshooting. Logs do not contain sensitive data and are stored locally.
  • Vulnerability Response: In the event of a discovered vulnerability, we will promptly notify affected customers and provide remediation steps, such as patches or configuration changes.

Compliance and Standards

  • Best Practices: Metro 2 File Viewer is designed to align with industry best practices for data security and privacy, particularly for handling Metro 2 files used in credit reporting.
  • Continuous Improvement: We regularly review our security practices to ensure they meet evolving industry standards.

Contact Us

For security-related questions or to report a concern, please Contact Us

We are committed to addressing inquiries promptly and transparently.

Last Updated: April 23, 2025

The Service Bureau reserves the right to update this policy as needed to reflect changes in our practices or regulatory requirements.