Cyber security compliance

Updated Sep 27, 2018

Security and compliance are top priorities for Dhound because they are fundamental to your experience with the product. Dhound is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.

Dhound uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.

If you would like to report a vulnerability or have any security concerns with a Dhound product, please contact info@dhound.io.

PCI DSS

Dhound’s payment and card information is handled by Stripe, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.

Dhound does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.

GDPR compliance cyber security

General Data Protection Regulation (GDPR) is a European regulation to strengthen and unify the data protection of EU citizens. As of the 25th of May 2018, all companies worldwide that store and process data about EU citizens will be required to comply with GDPR.

Dhound is taking particular steps across the entire company to ensure we will be ready for the GDPR. We are collecting minimal personal identification information (PII) only for the purposes declared by Dhound. We reviewed our Terms of Use and Privacy Policy to comply GDPR. We are also working on interfaces that will allow you to address your rights for accessing any personal data that might stored in your Dhound account.

Based on the research conducted by both our inside and outside counsels we are confident these changes will address the requirements of GDPR. We will communicate these changes in detail around the first of the year.

Here’s a brief of our GDPR Roadmap:

  1. Review our product functionality to comply GDRP: COMPLETE
  2. Develop a strategy and requirements for how to address our product impacted by GDPR: COMPLETE
  3. Revised data mapping and activities to process personal data: COMPLETE
  4. Revised Dhound Architecture Design Document and implemented technical measures: COMPLETE
  5. Revised and updated internal policies and procedures: COMPLETE
  6. Update Terms of Use and Privacy policy: COMPLETE
  7. Add explicit consent on registration page to collect Personal Information: COMPLETE
  8. Changes in user profile to comply GDPR: COMPLETE
  9. Test andf finalize our full compliance: COMPLETE

Infrastructure and Network Security

Physical Access Control

Dhound uses hetzner.de with Germany data Center as a hosting provider. Hetzner hosting is compliant with ISO/IEC 27001. Hetzner data centers feature a layered security model, including extensive safeguards.

Dhound employees do not have physical access to Hetzner data centers, servers, network equipment, or storage.

Logical Access Control

Dhound is the assigned administrator of its infrastructure on Hetzner Platform, and only designated authorized Dhound operations team members have access to configure the infrastructure. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted locations.

Penetration Testing

Dhound team has reach experience in penetration testing and conducts internal security analysis before each serious release.

Dhound undergoes black box penetration testing, conducted by an independent, third-party agency, on an annual basis. For black box testing, Dhound provides the agency with an isolated clone of a test client Dhound instance and a high-level diagram of application architecture.

Intrustion Detection and Prevention

Dhound has installed the intrusion detection system dhound.io on each asset that allows to detect and react on a security events and incidents in real time.

Business Continuity and Disaster Recovery

High Availability

Dhound is configured in High-availability model and uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.

Business Continuity

Dhound keeps regular hourly encrypted backups of data outside of the servers (dedicated file storage). While never expected, in the case of production data loss (i.e., primary data stores lost), Dhound will able restore data from these backups.

Disaster Recovery

In the event of a region-wide outage, Dhound has a plan how quickly bring up a duplicate environment on another hosting provider within EU. The Dhound operations team has extensive experience performing secured migrations.

Data Security and Privacy

Data Encryption

All data in Dhound servers is automatically encrypted at rest. RSA 2048 is used for backup encryptions. All private keys are kept separately from the live environment.

So, if an intruder were ever able to access any of the physical storage devices, the Dhound data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.

Dhound uses only world-standard encryption algorithms:

  • AES 256 for symmetric encryption
  • RSA 2048 for assymetric encryption
  • SHA512+RSA2048 for digital signing of Dhound assets

Data in Motion

All communication are restricted with using only encrypted channels. Only TLS 1.0, 2.0, 3.0 and higher allowed. The current level of SSL Configuration is A+ (https://www.ssllabs.com/ssltest/analyze.html?d=dhound.io)

Corporate Security

Malware Protection

Dhound believes that good security practices start with our own team, so Dhound goes out of own way to protect against internal threats and local vulnerabilities. All company-provided workstations run antiviruses, strongly configured firewalls and other security features.

Risk Management

Dhound follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.

All Dhound product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Dhound’s operations team have secure shell (SSH) access to production servers.

Dhound performs testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.

Contingency Planning

The Dhound operations team includes service continuity and threat remediation among its top priorities. Dhound keeps a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.

Disclosure Policy

Dhound follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Dhound notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates throughout each day addressing progress and impact.

Security Development Lifecycle

Security Development Lifecycle (SDLC) is a software development process that helps developers build more secure software and address security compliance requirements. Combining a holistic and practical approach, the SDLC introduces security and privacy early and throughout all phases of the development process.

Security of development process is based on developed own version of security development lifecycle process IDS SDLC

.

Contact information:


IDS Global Limited
11-13 Hunslet Road
Leeds
West Yorkshire
LS10 1JQ

Email: info@dhound.io
Tel: +44 (0)113 859 1669