lock

Privacy First

The security of your data

We implement the best practices in data security with an externally audited ISO27001:2022 Information Security Management System (ISMS) and ensure our providers do the same.

Top Security Questions

Where is our data located?
Is our data encrypted?
What are the system requirements?
Are we GDPR compliant if we use D4H?
Can we integrate other products with D4H?

Standards & Certifications

D4H is certified with an external audit for ISO 27001:2022. We use ISO 27001, ISO 27017, ISO 27018, ISO 9001, SOC 1, SOC 2, and SOC 3 audited data centers managed by Amazon Web Services. We’ve also built our platform with robust security controls and procedures to ensure full compliance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.

Certificate Number 22994
Full compliance with the HIPAA Security Rule
Cloud Infrastructure Partner

Confidentiality, Integrity, Availability

  • All of your data is encrypted at rest.
  • Our services are all encrypted during transit.
  • Only identified senior personnel have access to databases, servers, and backups on a need-to-know and need-to-use basis.
  • Any user access is unique and protected by authentication step.
  • We require strong passwords on all systems both by employees and customers.
  • We maintain our products as available with over 99.98% uptime.
  • We require the same standards from our providers.

Your data, your privacy

  • We process your data only in order to configure the application to your business needs.
  • We cannot access your data during support requests unless granted by you.
  • We will never, ever ask for your personal information such as a password.
  • You can upload and download documents you need securely.
  • All service contracts include a GDPR compliant data processing agreement.

Our Response

  • We are always ready to respond to integrity and security incidents.
  • Our staff is continually trained in security and enforce our best practices.
  • We implement a business continuity plan, in order to remain available at all times.
  • Your data is backed up using point-in-time recovery.

Frequently Asked Questions (FAQ)

General Requirements

How do you ensure the Confidentiality and Integrity of our information is kept intact?

D4H Technologies place a high priority on information security. In order to ensure the confidentiality and integrity of our customers' information, we have a robust Information Security Management System (ISMS). For instance, we manage and monitor all physical and logical access to data, train our employees to follow security principles, and requirements, and protect our products against attacks and intrusions.

How and to what level do you ensure the Availability of our information?

Availability is one of the foundations of information security. That is why we use third-party alerting and monitor globally our servers capacity and availability. We also have providers who ensure DDoS mitigation. Finally, we have a tested Incident Management Procedure in order to guarantee our availability.

Have there been any data leaks or misuse of our information recently?

We have never had data leaks or misuse. Should an incident occur we follow our detailed Incident Management Procedure, with notification and security reports being sent to affected customers by email as soon as we detect or suspect a problem.

Which employee roles have physical and/or logical access to our data?

We grant access following the need-to-know and need-to-use basis. Only senior engineers may access raw customer information databases by the very nature of their responsibilities. Customer Support must be granted access by a customer to access their data to assist with support. All of our employees undergo security screening at recruitment and throughout their time with us. All data is encrypted at rest.

Is D4H HIPAA Compliant?

Yes. D4H has conducted a comprehensive internal HIPAA Compliance Assessment, confirming that we have implemented strong security controls and procedures to protect your electronic protected health information (ePHI). We prioritize data security and privacy, ensuring your ePHI is handled with the highest standards of confidentiality.

Security Management

Do you have a Privacy policy?

Yes, you can find our privacy statement here.

Do you have Security policies?

Our policies cover areas such as data protection, password and encryption keys, physical and environmental security, social security awareness, destruction and disposal of information, access control, incident management, business continuity, and secure engineering principles. They are enforced and regularly reviewed by management. For security reasons, we cannot make them public but should you have further questions our Information Security Manager will be happy to discuss these.

Operational Security

Do you have an Information Security Management System in order to ensure the security of your operations?

Yes, D4H Technologies is certified ISO 27001:2022 standard.

How are your systems protected from non-permission access and intrusion or attacks?

D4H Technologies follows strict security requirements. We use the OWASP Testing Guide as a basis for our product’s vulnerability testing. We ensure that we protect against the OWASP Top 10 most critical vulnerabilities.

Can you a provide record of recent intrusions or attacks?

Intrusions or attacks are logged. They are also monitored, and assessed in order to evaluate the impact, so actions can be adapted to the severity of the attack.

How do you train the employees who have access to our data regarding security?

Employees read, acknowledge and apply our policies and procedures, have regular security training, and are kept up to date with the latest security threats during our weekly briefings.

Do you have an Incident Management procedure?

Yes, our employees know what to do and who they should contact if an incident occurs. We also assess risks of these incidents and take corrective actions as necessary. We routinely test our procedure and continuously improve it based on industry recommendations.

How are we alerted if an incident occurs?

Security reports are sent to our customers by email to alert them as soon as we detect a problem and have prevented further access.

Physical Security

Do you have physical access controls?

Yes, we keep a record of granted physical access. Guests are always accompanied. We log visitor access.

Do you have an access removal policy?

Yes, we have a formal Joiners, Leavers and Movers Procedure which ensures that every employee whose contract is terminated has physical and logical accesses removed. Access is also reviewed when needs and roles change.

System Security

Do you log, monitor, and report all security events?

Yes, and from our providers and vendors. We monitor them continuously, depending on the severity of the information.

Are accesses based on business need, least privilege, and individual accountability?

Yes, we grant access following the need-to-know and need-to-use basis. We are able to track individual accountability.

Do you have a password policy?

Yes, we enforce the use of an 8 character password with lower, uppercase and numbers for both our internal use and customer access to their data. We also use 2-step authentication when available for our business systems. Our customers can use 2-factor authentication where applicable.

Do you have virus, malware, intrusion, etc. detection software?

Yes, we keep them up-to-date automatically and review the logs regularly.

Server Security

What is your policy to have test and user accounts removed when no longer in use?

Yes, it is part of our secure engineering principles.

Do devices have password protected screens that logoff if unattended?

All systems and terminals use password locked screens after 5 minutes of inactivity.

Network Security

Do you have Firewall protection in place?

Yes, we have, for both our internal use and customer access to their data.

Data Security

Are system and data backups accessible for a period of at least 30 days?

Yes.

How are backups stored on different systems, physically and logically? What would be required to lose both?

We use different systems for servers and backups, both physically, logically, and geographically. Backup systems are not accessible from application servers. It is almost impossible to lose both, as an attack or incident should occur on both systems at the same time.

Business Continuity and Disaster Recovery

Do you have a business continuity and disaster recovery plan?

Yes. We have a detailed Business Continuity Plan and a dedicated Incident Response Team to ensure continued service to our customers.

Contract Termination

How do you remove data after service or contract termination?

As per our Service Agreements all customer data is removed from our systems in the event of a contract termination. In order to ensure this is done we follow our destruction and disposal policy.

EU Digital Services Act (DSA)

Our Commitment to Transparency

At D4H, we're committed to ensuring transparency in our operations, especially in our role as an intermediary service provider. This section provides detailed information on our content moderation activities, data hosting practices, and compliance with the Digital Services Act (DSA).

  • We take a proactive approach to maintaining a safe and compliant platform. 
  • We request that D4H users notify us of any illegal content so we can review, notify account owners and remove content that violates applicable laws if necessary.
  • We do not use automated tools for content moderation of private customer data.
  • Content that breaches our terms of service is subject to removal or other actions.
  • We comply with legal orders from authorities regarding the removal or disabling of access to illegal content. 
  • We take user complaints seriously and have established a structured process to address them efficiently.

Submission/Complaints process: 

  • Users can submit complaints via email to security-team@d4h.com.
  • Complaints are reviewed by our moderation team, and users are notified of the outcome.
  • If users are unsatisfied with the resolution, they can appeal the decision.

Reports

Our transparency reports are publicly accessible and available in English to the Member States where we operate. These reports can be seen here.

We publish our transparency reports at least once every six months. The next report will be available on 1st December 2024.

Point of contact

To streamline interactions with authorities, users, and other stakeholders, we have established a Single Point of Contact (SPOC) for all inquiries related to our intermediary services and compliance with the Digital Services Act (DSA).

Name: Jenny Appleby

Role: Information Security Manager 

Email: security-team@d4h.com

If you have any questions or need assistance regarding our intermediary services, content moderation practices, legal orders, or any other related matters, please do not hesitate to contact our Single Point of Contact. We are committed to providing timely and accurate responses to all inquiries.

100k+

responders from hundreds of organizations use D4H daily.

37+

countries on 6 continents are using D4H for emergencies.

440T+

CO2e has been offset. D4H offsets its entire carbon footprint plus some more.

6000

trees planted by us in real forests to aid reforestation of the natural climate.

Learn D4H

help_outline
Help Center
subscriptions
Video Learning
newspaper
The Bravo Zulu
new_releases
Product Updates
code
Developer Tools
email
Email Newsletter

D4H Resources

account_circle
D4H Sign in
settings_suggest
System Status
phone_iphone
Mobile Apps
security
Data Security
smart_toy
Integrations
star
Feature List

Don't miss out, join our community!

Join thousands of emergency & crisis managers and receive our insider updates and newsletter directly to your email inbox:

Thank you! You are now subscribed!
Oops! Something went wrong while submitting the form.
D4H LogoTermsPrivacy StatementCookie PolicySystem Status