As we are invested in your security, we treat it as priority. We implement the best security practices internally, but also to ensure our providers do the same. We enforce an Information Security Management System (ISMS) and are undergoing ISO 27001 Certification.
Confidentiality, Integrity, Availability
- Only identified senior personnel have access to databases, servers, and backups on a need-to-know and need-to-use basis.
- Any user access is unique and protected by authentication step.
- We require strong passwords on all systems both by employees and customers.
- Our services are all encrypted during transit.
- We maintain our products as available with over 99.98% uptime.
- We require the same involvement from our providers.
Your data, your privacy
- We process your data only in order to configure the application to your business needs.
- We cannot access data during support requests unless granted by the customer.
- We will never, ever ask for your personal information such as password.
- We don’t keep any copies of your data 60 days after contract termination.
- You can upload and download documents you need securely.
- We are always ready to respond to security incidents.
- Our staff is trained in security and respect our best practices.
- We implement a business continuity plan, in order to remain available at any moment.
- Your data is recoverable on backups.
How do you ensure the Confidentiality and Integrity of our information is kept intact?
D4H Technologies place high priority information security. In order to ensure the confidentiality and integrity of our customers information, we use an Information Security Management System (ISMS). For instance, we manage and monitor all physical and logical accesses to data, train our employees to follow security principles, and requirements, and protect our products against attacks and intrusions.
How and to what level do you ensure the Availability of our information?
Availability is one of the foundations of information security. That is why we use third-party alerting and monitor globally our servers capacity and availability. We also have providers who ensure DDoS mitigation. Finally, we have a Business Continuity Plan in order to guarantee our availability.
Have there been any data leaks or misuse of our information recently?
We have never had data leaks of misuse. If it arrives, security reports are sent to our customers by email to alert them as soon as we detect a problem.
Which employee roles have physical and/or logical access to our data?
We grant access following the need-to-know and need-to-use basis. Only senior engineers may access raw customer information database by the very nature of their responsibilities. Customer Support must be granted access by a customer to access their data to assist with support.
Do you ensure that your own suppliers and subcontractors respect such standards?
Yes, we engage with our providers and vendors so we know they respect our requirements. In the rare case your deployment is in a geography without compliant vendors we will inform you! If providers and vendors don’t provide enough information, we will let you know the risks that your data are exposed to, if they are part of a deployment in your region.
Do you have Security policies?
Our policies covers areas such as data protection, password and encryption keys, physical and environmental security, social security awareness, destruction and disposal of information, access control, incident management, business continuity and secure engineering principles. They are enforced and regularly reviewed by management. For security reasons, we cannot make them public.
Do you have an Information Security Management System in order to ensure the security of your operations?
Yes, D4H Technologies follows the guidelines provided by the ISO 27002:2013 standard. You can ask for our ISMS to our support.
How are your systems protected against non permissioned access and intrusion or attacks?
D4H Technologies follows strict security requirements. We use the OWASP Testing Guide as a basis for our products vulnerability testing. We ensure that we protect against the OWASP Top 10 most critical vulnerabilities.
Can you provide record of recent intrusions or attacks?
Intrusions or attacks are logged. They are also monitored, and assessed in order to evaluate the impact, so actions can be adapted to the severity of the attack.
How do you train the employees who have access to our data regarding security?
Employees read and apply our policies and procedures, and have regular training and information during our weekly briefing.
Do you have an Incident Management procedure?
Yes, our employees know what to do and who they should contact if an incident occur. We also assess risks of these incidents and take corrective actions as necessary.
How are we alerted if an incident occurs?
Security reports are sent to our customers by email to alert them as soon as we detect a problem and have prevented further access.
Do you have physical access controls?
Yes, we keep a record of granted physical access. Guests are always accompanied. We log visitor access.
Is there 24x7 physical security?
Yes, an alarm is activated between the business hours. Our data centers have also 24x7 personnel on-site and alarms.
Do you have an access removal policy?
Yes, every employee whose contract is terminated has physical and logical accesses removed. Access is also reviewed when needs and roles change.
Do you log, monitor, and report all security events?
Yes, we do for our products, or use logs from our providers and vendors. We monitor them continuously, depending on the sensitivity of information.
Are accesses based on business need, least privilege, and individual accountability?
Yes, we grant access following the need-to-know and need-to-use basis. We are able to track individual accountability.
Do you have a password policy?
Yes, we enforce the use of a 8 character password with lower, uppercase and numbers for both our internal use and customer access to their data. We also use 2-step authentication when available for our business systems. Our customers can use 2-factor authentication on D4H™ DECISIONS.
Do you have virus, malware, intrusion, etc. detection software?
Yes, we keep them up-to-date and review the logs regularly.
What is your policy to have test and user accounts removed when no longer in use?
Yes, it is part of our secure engineering principles.
Do console with keyboards have password protected screens that logoff if unattended?
All systems and terminals use password locked screens after 10 minutes of inactivity.
Do you have a Firewall protection in place?
Yes we have, for both our internal use and customer access to their data.
Do you protect against DDoS?
This service is available on our US servers and backups.
Are system and data backups accessible for a period of at least 30 days?
How are backups stored on different systems, physically and logically? What would be required to lose both?
We use different systems for servers and backups, both physically, logically, and geographically. Backup systems are not accessible from application servers. It is almost impossible to lose both, as an attack or incident should occur on both systems at the same time.
Business Continuity and Disaster Recovery
Do you have a business continuity and disaster recovery plan?
Yes: - Business systems are hosted and accessible externally. - Data backups are securely stored off-site. - Employees can work remotely on their laptops. - Office facilities are accessible off-site.
How do you remove data after service or contract termination?
We follow a destruction and disposal policy.