security

The security of your data.

As we are invested in your security, we treat it as a priority. We implement the best practices in security internally with an ISO27002 Information Security Management System (ISMS), but also to ensure our providers do the same. We enforce and use ISO 27001, ISO 27017, ISO 27018, ISO 9001, SOC 1, SOC 2, and SOC 3 audited data centers.

Confidentiality, Integrity, Availability

  • All of your data is encrypted at rest.
  • Our services are all encrypted during transit.
  • Only identified senior personnel have access to databases, servers, and backups on a need-to-know and need-to-use basis.
  • Any user access is unique and protected by authentication step.
  • We require strong passwords on all systems both by employees and customers.
  • We maintain our products as available with over 99.98% uptime.
  • We require the same standards from our providers.

Your data, your privacy

  • We process your data only in order to configure the application to your business needs.
  • We cannot access your data during support requests unless granted by you.
  • We will never, ever ask for your personal information such as a password.
  • You can upload and download documents you need securely.
  • All service contracts include a GDPR compliant data processing agreement.

Our Response

  • We are always ready to respond to integrity and security incidents.
  • Our staff is continually trained in security and enforce our best practices.
  • We implement a business continuity plan, in order to remain available at all times.
  • Your data is backed up using point-in-time recovery.

FAQ

General Requirements

How do you ensure the Confidentiality and Integrity of our information is kept intact?

D4H Technologies place a high priority on information security. In order to ensure the confidentiality and integrity of customers information, we use an Information Security Management System (ISMS). For instance, we manage and monitor all physical and logical accesses to data, train our employees to follow security principles, and requirements, and protect our products against attacks and intrusions.

How and to what level do you ensure the Availability of our information?

Availability is one of the foundations of information security. That is why we use third-party alerting and monitor globally our servers capacity and availability. We also have providers who ensure DDoS mitigation. Finally, we have a Business Continuity Plan in order to guarantee our availability.

Have there been any data leaks or misuse of our information recently?

We have never had data leaks of misuse. If it arrives, security reports are sent to our customers by email to alert them as soon as we detect a problem.

Which employee roles have physical and/or logical access to our data?

We grant access following the need-to-know and need-to-use basis. Only senior engineers may access raw customer information database by the very nature of their responsibilities. Customer Support must be granted access by a customer to access their data to assist with support. All data is encrypted at rest.

Security Management

Do you have a Privacy policy?

Yes, you can find our privacy statement here.

Do you have Security policies?

Our policies cover areas such as data protection, password and encryption keys, physical and environmental security, social security awareness, destruction and disposal of information, access control, incident management, business continuity, and secure engineering principles. They are enforced and regularly reviewed by management. For security reasons, we cannot make them public.

Operational Security

Do you have an Information Security Management System in order to ensure the security of your operations?

Yes, D4H Technologies follows the guidelines provided by the ISO 27002:2013 standard.

How are your systems protected from non-permission access and intrusion or attacks?

D4H Technologies follows strict security requirements. We use the OWASP Testing Guide as a basis for our product’s vulnerability testing. We ensure that we protect against the OWASP Top 10 most critical vulnerabilities.

Can you a provide record of recent intrusions or attacks?

Intrusions or attacks are logged. They are also monitored, and assessed in order to evaluate the impact, so actions can be adapted to the severity of the attack.

How do you train the employees who have access to our data regarding security?

Employees read and apply our policies and procedures, and have regular training and information during our weekly briefing.

Do you have an Incident Management procedure?

Yes, our employees know what to do and who they should contact if an incident occurs. We also assess risks of these incidents and take corrective actions as necessary.

How are we alerted if an incident occurs?

Security reports are sent to our customers by email to alert them as soon as we detect a problem and have prevented further access.

Physical Security

Do you have physical access controls?

Yes, we keep a record of granted physical access. Guests are always accompanied. We log visitor access.

Do you have an access removal policy?

Yes, every employee whose contract is terminated has physical and logical accesses removed. Access is also reviewed when needs and roles change.

System Security

Do you log, monitor, and report all security events?

Yes, and from our providers and vendors. We monitor them continuously, depending on the sensitivity the of information.

Are accesses based on business need, least privilege, and individual accountability?

Yes, we grant access following the need-to-know and need-to-use basis. We are able to track individual accountability.

Do you have a password policy?

Yes, we enforce the use of an 8 character password with lower, uppercase and numbers for both our internal use and customer access to their data. We also use 2-step authentication when available for our business systems. Our customers can use 2-factor authentication where applicable.

Do you have virus, malware, intrusion, etc. detection software?

Yes, we keep them up-to-date automatically and review the logs regularly.

Server Security

What is your policy to have test and user accounts removed when no longer in use?

Yes, it is part of our secure engineering principles.

Do console with keyboards have password protected screens that logoff if unattended?

All systems and terminals use password locked screens after 10 minutes of inactivity.

Network Security

Do you have Firewall protection in place?

Yes, we have, for both our internal use and customer access to their data.

Data Security

Are system and data backups accessible for a period of at least 30 days?

Yes.

How are backups stored on different systems, physically and logically? What would be required to lose both?

We use different systems for servers and backups, both physically, logically, and geographically. Backup systems are not accessible from application servers. It is almost impossible to lose both, as an attack or incident should occur on both systems at the same time.

Business Continuity and Disaster Recovery

Do you have a business continuity and disaster recovery plan?

Yes - Business systems are hosted and accessible externally. Data backups are securely stored off-site. Employees can work remotely on their laptops. Office facilities are accessible off-site.

Contract Termination

How do you remove data after service or contract termination?

We follow a destruction and disposal policy.