Top Security Questions
In partnership with Amazon Web Services we currently offer data residency in the following regions:
- United States
- European Union (GDPR Compliant)
- Canada
- Australia
Yes, databases and storage volumes are encrypted at rest using the industry-standard AES-256 encryption algorithm on our servers.
Your data is transmitted to and from our servers to you using SSL encryption.
There is no download or installation required, you can access our web application in any internet connected web browser. D4H provides a fully-hosted cloud service, with no servers for you to maintain. The only system requirement is a modern web browser, and we support Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari.
Yes, all EU service contracts include a GDPR compliant data processing agreement with our company D4H Technologies Ltd. (463199) registered in Ireland in the European Union. Through our privacy-first design, your account can be configured to meet all GDPR requirements.
Our products can support a number of integrations out-of-the-box and you can build your own with our fully documented REST API available for Personnel & Training, Equipment Management, and Incident Reporting.
Standards & Certifications
D4H is certified with an external audit for ISO 27001:2022. We use ISO 27001, ISO 27017, ISO 27018, ISO 9001, SOC 1, SOC 2, and SOC 3 audited data centers managed by Amazon Web Services.
Amazon Web Services
Confidentiality, Integrity, Availability
- All of your data is encrypted at rest.
- Our services are all encrypted during transit.
- Only identified senior personnel have access to databases, servers, and backups on a need-to-know and need-to-use basis.
- Any user access is unique and protected by authentication step.
- We require strong passwords on all systems both by employees and customers.
- We maintain our products as available with over 99.98% uptime.
- We require the same standards from our providers.
Your data, your privacy
- We process your data only in order to configure the application to your business needs.
- We cannot access your data during support requests unless granted by you.
- We will never, ever ask for your personal information such as a password.
- You can upload and download documents you need securely.
- All service contracts include a GDPR compliant data processing agreement.
Our Response
- We are always ready to respond to integrity and security incidents.
- Our staff is continually trained in security and enforce our best practices.
- We implement a business continuity plan, in order to remain available at all times.
- Your data is backed up using point-in-time recovery.
Frequently Asked Questions (FAQ)
General Requirements
How do you ensure the Confidentiality and Integrity of our information is kept intact?
D4H Technologies place a high priority on information security. In order to ensure the confidentiality and integrity of our customers' information, we have a robust Information Security Management System (ISMS). For instance, we manage and monitor all physical and logical access to data, train our employees to follow security principles, and requirements, and protect our products against attacks and intrusions.
How and to what level do you ensure the Availability of our information?
Availability is one of the foundations of information security. That is why we use third-party alerting and monitor globally our servers capacity and availability. We also have providers who ensure DDoS mitigation. Finally, we have a tested Incident Management Procedure in order to guarantee our availability.
Have there been any data leaks or misuse of our information recently?
We have never had data leaks or misuse. Should an incident occur we follow our detailed Incident Management Procedure, with notification and security reports being sent to affected customers by email as soon as we detect or suspect a problem.
Which employee roles have physical and/or logical access to our data?
We grant access following the need-to-know and need-to-use basis. Only senior engineers may access raw customer information databases by the very nature of their responsibilities. Customer Support must be granted access by a customer to access their data to assist with support. All of our employees undergo security screening at recruitment and throughout their time with us. All data is encrypted at rest.
Security Management
Do you have a Privacy policy?
Yes, you can find our privacy statement here.
Do you have Security policies?
Our policies cover areas such as data protection, password and encryption keys, physical and environmental security, social security awareness, destruction and disposal of information, access control, incident management, business continuity, and secure engineering principles. They are enforced and regularly reviewed by management. For security reasons, we cannot make them public but should you have further questions our Information Security Manager will be happy to discuss these.
Operational Security
Do you have an Information Security Management System in order to ensure the security of your operations?
Yes, D4H Technologies is certified ISO 27001:2022 standard.
How are your systems protected from non-permission access and intrusion or attacks?
D4H Technologies follows strict security requirements. We use the OWASP Testing Guide as a basis for our product’s vulnerability testing. We ensure that we protect against the OWASP Top 10 most critical vulnerabilities.
Can you a provide record of recent intrusions or attacks?
Intrusions or attacks are logged. They are also monitored, and assessed in order to evaluate the impact, so actions can be adapted to the severity of the attack.
How do you train the employees who have access to our data regarding security?
Employees read, acknowledge and apply our policies and procedures, have regular security training, and are kept up to date with the latest security threats during our weekly briefings.
Do you have an Incident Management procedure?
Yes, our employees know what to do and who they should contact if an incident occurs. We also assess risks of these incidents and take corrective actions as necessary. We routinely test our procedure and continuously improve it based on industry recommendations.
How are we alerted if an incident occurs?
Security reports are sent to our customers by email to alert them as soon as we detect a problem and have prevented further access.
Physical Security
Do you have physical access controls?
Yes, we keep a record of granted physical access. Guests are always accompanied. We log visitor access.
Do you have an access removal policy?
Yes, we have a formal Joiners, Leavers and Movers Procedure which ensures that every employee whose contract is terminated has physical and logical accesses removed. Access is also reviewed when needs and roles change.
System Security
Do you log, monitor, and report all security events?
Yes, and from our providers and vendors. We monitor them continuously, depending on the severity of the information.
Are accesses based on business need, least privilege, and individual accountability?
Yes, we grant access following the need-to-know and need-to-use basis. We are able to track individual accountability.
Do you have a password policy?
Yes, we enforce the use of an 8 character password with lower, uppercase and numbers for both our internal use and customer access to their data. We also use 2-step authentication when available for our business systems. Our customers can use 2-factor authentication where applicable.
Do you have virus, malware, intrusion, etc. detection software?
Yes, we keep them up-to-date automatically and review the logs regularly.
Server Security
What is your policy to have test and user accounts removed when no longer in use?
Yes, it is part of our secure engineering principles.
Do devices have password protected screens that logoff if unattended?
All systems and terminals use password locked screens after 5 minutes of inactivity.
Network Security
Do you have Firewall protection in place?
Yes, we have, for both our internal use and customer access to their data.
Data Security
Are system and data backups accessible for a period of at least 30 days?
Yes.
How are backups stored on different systems, physically and logically? What would be required to lose both?
We use different systems for servers and backups, both physically, logically, and geographically. Backup systems are not accessible from application servers. It is almost impossible to lose both, as an attack or incident should occur on both systems at the same time.
Business Continuity and Disaster Recovery
Do you have a business continuity and disaster recovery plan?
Yes. We have a detailed Business Continuity Plan and a dedicated Incident Response Team to ensure continued service to our customers.
Contract Termination
How do you remove data after service or contract termination?
As per our Service Agreements all customer data is removed from our systems in the event of a contract termination. In order to ensure this is done we follow our destruction and disposal policy.
EU Digital Services Act (DSA)
Our Commitment to Transparency
At D4H, we're committed to ensuring transparency in our operations, especially in our role as an intermediary service provider. This section provides detailed information on our content moderation activities, data hosting practices, and compliance with the Digital Services Act (DSA).
- We take a proactive approach to maintaining a safe and compliant platform.
- We request that D4H users notify us of any illegal content so we can review, notify account owners and remove content that violates applicable laws if necessary.
- We do not use automated tools for content moderation of private customer data.
- Content that breaches our terms of service is subject to removal or other actions.
- We comply with legal orders from authorities regarding the removal or disabling of access to illegal content.
- We take user complaints seriously and have established a structured process to address them efficiently.
Submission/Complaints process:
- Users can submit complaints via email to [email protected].
- Complaints are reviewed by our moderation team, and users are notified of the outcome.
- If users are unsatisfied with the resolution, they can appeal the decision.
Reports
Our transparency reports are publicly accessible and available in English to the Member States where we operate. These reports can be seen here.
We publish our transparency reports at least once every six months. The next report will be available on 1st December 2024.
Point of contact
To streamline interactions with authorities, users, and other stakeholders, we have established a Single Point of Contact (SPOC) for all inquiries related to our intermediary services and compliance with the Digital Services Act (DSA).
Name: Jenny Appleby
Role: Information Security Manager
Email: [email protected]
If you have any questions or need assistance regarding our intermediary services, content moderation practices, legal orders, or any other related matters, please do not hesitate to contact our Single Point of Contact. We are committed to providing timely and accurate responses to all inquiries.