Top Security Questions
Standards & Certifications
D4H is certified with an external audit for ISO 27001:2022. We use ISO 27001, ISO 27017, ISO 27018, ISO 9001, SOC 1, SOC 2, and SOC 3 audited data centers managed by Amazon Web Services.
Amazon Web Services
Confidentiality, Integrity, Availability
- All of your data is encrypted at rest.
- Our services are all encrypted during transit.
- Only identified senior personnel have access to databases, servers, and backups on a need-to-know and need-to-use basis.
- Any user access is unique and protected by authentication step.
- We require strong passwords on all systems both by employees and customers.
- We maintain our products as available with over 99.98% uptime.
- We require the same standards from our providers.
Your data, your privacy
- We process your data only in order to configure the application to your business needs.
- We cannot access your data during support requests unless granted by you.
- We will never, ever ask for your personal information such as a password.
- You can upload and download documents you need securely.
- All service contracts include a GDPR compliant data processing agreement.
- We are always ready to respond to integrity and security incidents.
- Our staff is continually trained in security and enforce our best practices.
- We implement a business continuity plan, in order to remain available at all times.
- Your data is backed up using point-in-time recovery.
Frequently Asked Questions (FAQ)
How do you ensure the Confidentiality and Integrity of our information is kept intact?
D4H Technologies place a high priority on information security. In order to ensure the confidentiality and integrity of our customers' information, we have a robust Information Security Management System (ISMS). For instance, we manage and monitor all physical and logical access to data, train our employees to follow security principles, and requirements, and protect our products against attacks and intrusions.
How and to what level do you ensure the Availability of our information?
Availability is one of the foundations of information security. That is why we use third-party alerting and monitor globally our servers capacity and availability. We also have providers who ensure DDoS mitigation. Finally, we have a tested Incident Management Procedure in order to guarantee our availability.
Have there been any data leaks or misuse of our information recently?
We have never had data leaks or misuse. Should an incident occur we follow our detailed Incident Management Procedure, with notification and security reports being sent to affected customers by email as soon as we detect or suspect a problem.
Which employee roles have physical and/or logical access to our data?
We grant access following the need-to-know and need-to-use basis. Only senior engineers may access raw customer information databases by the very nature of their responsibilities. Customer Support must be granted access by a customer to access their data to assist with support. All of our employees undergo security screening at recruitment and throughout their time with us. All data is encrypted at rest.
Yes, you can find our privacy statement here.
Do you have Security policies?
Our policies cover areas such as data protection, password and encryption keys, physical and environmental security, social security awareness, destruction and disposal of information, access control, incident management, business continuity, and secure engineering principles. They are enforced and regularly reviewed by management. For security reasons, we cannot make them public but should you have further questions our Information Security Manager will be happy to discuss these.
Do you have an Information Security Management System in order to ensure the security of your operations?
Yes, D4H Technologies is certified ISO 27001:2022 standard.
How are your systems protected from non-permission access and intrusion or attacks?
D4H Technologies follows strict security requirements. We use the OWASP Testing Guide as a basis for our product’s vulnerability testing. We ensure that we protect against the OWASP Top 10 most critical vulnerabilities.
Can you a provide record of recent intrusions or attacks?
Intrusions or attacks are logged. They are also monitored, and assessed in order to evaluate the impact, so actions can be adapted to the severity of the attack.
How do you train the employees who have access to our data regarding security?
Employees read, acknowledge and apply our policies and procedures, have regular security training, and are kept up to date with the latest security threats during our weekly briefings.
Do you have an Incident Management procedure?
Yes, our employees know what to do and who they should contact if an incident occurs. We also assess risks of these incidents and take corrective actions as necessary. We routinely test our procedure and continuously improve it based on industry recommendations.
How are we alerted if an incident occurs?
Security reports are sent to our customers by email to alert them as soon as we detect a problem and have prevented further access.
Do you have physical access controls?
Yes, we keep a record of granted physical access. Guests are always accompanied. We log visitor access.
Do you have an access removal policy?
Yes, we have a formal Joiners, Leavers and Movers Procedure which ensures that every employee whose contract is terminated has physical and logical accesses removed. Access is also reviewed when needs and roles change.
Do you log, monitor, and report all security events?
Yes, and from our providers and vendors. We monitor them continuously, depending on the severity of the information.
Are accesses based on business need, least privilege, and individual accountability?
Yes, we grant access following the need-to-know and need-to-use basis. We are able to track individual accountability.
Do you have a password policy?
Yes, we enforce the use of an 8 character password with lower, uppercase and numbers for both our internal use and customer access to their data. We also use 2-step authentication when available for our business systems. Our customers can use 2-factor authentication where applicable.
Do you have virus, malware, intrusion, etc. detection software?
Yes, we keep them up-to-date automatically and review the logs regularly.
What is your policy to have test and user accounts removed when no longer in use?
Yes, it is part of our secure engineering principles.
Do devices have password protected screens that logoff if unattended?
All systems and terminals use password locked screens after 5 minutes of inactivity.
Do you have Firewall protection in place?
Yes, we have, for both our internal use and customer access to their data.
Are system and data backups accessible for a period of at least 30 days?
How are backups stored on different systems, physically and logically? What would be required to lose both?
We use different systems for servers and backups, both physically, logically, and geographically. Backup systems are not accessible from application servers. It is almost impossible to lose both, as an attack or incident should occur on both systems at the same time.
Business Continuity and Disaster Recovery
Do you have a business continuity and disaster recovery plan?
Yes. We have a detailed Business Continuity Plan and a dedicated Incident Response Team to ensure continued service to our customers.
How do you remove data after service or contract termination?
As per our Service Agreements all customer data is removed from our systems in the event of a contract termination. In order to ensure this is done we follow our destruction and disposal policy.