We only store your data and backups in our highly secure Canadian data centers, and we adhere to all necessary privacy regulations and strict security requirements. Now you don't have to worry about Safe Harbor, Privacy Shield or other privacy laws.
Access to your data is limited to a small number of employees in order to provide you with technical assistance. This access is reviewed periodically and the actions performed on the data are logged.
At Dexero, we take steps to ensure the security of your customer data by encrypting data in transit and at rest. Data stored on our servers is protected by industry-grade AES-256 encryption, while all data in transit over public networks is encrypted using Transport Layer Security (TLS) 1.2/1.3 with Perfect Forward Secrecy ( PFS) to ensure that it is not disclosed or altered without permission. If you would like to know more about our approach to encryption, do not hesitate to contact us.
We manage encryption keys using our own internal Key Management Service (KMS). At this time we do not allow customers to upload their own keys.
The passwords you use to access Dexero services are stored securely using an irreversible encryption scheme. We use the bcrypt hash algorithm with unique salting per user, which makes it very difficult for attackers to crack passwords, even if our login database is compromised.
Our system distributes and maintains cloud space for our customers. Data from multiple customers is logically separated from each other and our framework ensures that no customer service data becomes accessible to another customer.
We use an IDS, or Intrusion Detection System, to protect our computer system against malicious attacks. An IDS monitors network traffic and user activities in real time to detect suspicious behavior or intrusion attempts.
When abnormal behavior is detected, the IDS sends an alert to system administrators so they can take immediate action to counter the attack. IDS can also be configured to automatically block suspicious activity or IP addresses that are identified as dangerous.
By using an IDS, we can ensure that our system is protected against hacker attacks and other threats. We can also identify weaknesses in our system and fix them before they are exploited by malicious people.
Using an IDS is an essential security practice for any modern computer system. By proactively monitoring our network and systems, we can ensure that our business is better protected against potential attacks and data breaches.
We use technologies from well-established and reputable service providers, which offer multiple DDoS mitigation capabilities to avoid disruptions caused by such attacks.
Yes, we regularly perform automated and manual penetration tests. We use a combination of certified third-party security and compliance risk management tools and in-house tools for code and dependency checking. We engage reputable external agencies to perform this comprehensive application verification.
If you discover a vulnerability in one of our products, you can let us know so that we can fix it as soon as possible. We also have a responsible disclosure policy. Please find more details at https://dexero.com/bug-reporting/
We have a dedicated incident response team that is responsible for incident detection, assessment, forensics, containment and recovery activities. In cases where we are a data controller and an incident results in a data breach, affected customers will be notified within 72 hours of becoming aware of it.
In the event of a confidentiality incident, we keep a record of all incidents and take prompt action to reduce the risk of harm being caused to the persons concerned. (Quebec Government Law 25)
In cases where we are data processors and an incident results in a data breach, the respective controllers will be notified without undue delay.
For general incidents, we will notify users via our blogs, forums and social networks. For incidents specific to an individual user or organization, we will notify the affected party by email (using their primary email address). Full report will be provided to customers upon request within 5-7 business days.
We notify incidents that affect you, as well as appropriate actions you may need to take. We track and close incidents with appropriate corrective actions. If necessary, we provide you with the necessary evidence concerning the incidents which concern you. A root cause analysis will be provided upon request.
All Dexero products (i.e. Dexero FD, Dexero eCommerce) are PCI DSS compliant. The payment service that customers use to purchase Dexero subscriptions is also PCI compliant.
Other Dexero services never transmit or store your credit card details.
Additional security features that can be used by customers:
* Multi-factor authentication
* Configurable password policy
* IP restrictions
* Role-based access control
* Encryption for custom fields
* Account activity auditing
We retain your account data for as long as you choose to use the Dexero Services. Once you have terminated your Dexero user account, your data will eventually be deleted from the active database during the next cleanup which will take place once every 6 months. Data deleted from the active database will be deleted from backups after 3 months.
We have a business continuity plan for our main operations such as support and infrastructure management. For redundancy, data from the primary data center (DC) is replicated to the secondary. If the primary DC fails, the secondary DC takes over and operations run smoothly with minimal or no downtime.
We perform full backups once a week and incremental backups daily. Backup data in a DC is stored in the same location and encrypted at rest as the original data. Additionally, we restore and validate backups weekly. A retention period of 3 months is applicable for all saved data. If requested by a specific customer, we will restore their data from the backup and make it available to them.
We use technical access controls and internal policies to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to minimize the risk of data exposure. Access to production environments is facilitated by a separate network with stricter rules and reinforced devices. Access control is maintained by a central repository and authenticated using a combination of strong passwords, two-factor authentication, and passphrase-protected SSH keys.
Our uptime SLA commitment is 99.9% monthly uptime. We have implemented redundancies at different levels from the infrastructure to the ISP to achieve this. Data from the primary datacenter is replicated to the secondary datacenter and a read-only version of Dexero applications is always served from the secondary datacenter.
We have a risk assessment policy and procedure to identify, analyze and mitigate risks by implementing appropriate controls. We perform a risk assessment for every major change that occurs in our environment. Global risks are reviewed and updated once a year.
Every employee goes through a background check process. We engage reputable external agencies to perform this verification on our behalf. We do this to check their criminal records, employment history, if any, and education history. Until this check is made, the employee is not assigned tasks that may pose risks to users.
We always place the utmost importance on customer privacy. When we receive requests from law enforcement authorities, we review those requests to see if the applicable legal process is followed to obtain a valid and binding order. We oppose excessive or otherwise inappropriate requests. Unless prohibited by law, we notify customers before disclosing customer data so that customers can request protection from disclosure.
We are proud to say that we are in compliance with Quebec law 25. This law, also known as the "Act respecting the protection of personal information in the private sector", was adopted to protect the rights of Quebec citizens with regard to the collection, use and disclosure of their personal information. .
As a company, we have implemented rigorous policies and procedures to ensure the protection of the personal information of our customers and our employees. We have appointed a Privacy Officer and have trained all of our staff in privacy and information security.
We only collect the personal information necessary to provide our services and we use it only for the purposes for which it was collected. We also have appropriate security measures in place to protect this information from unauthorized access, disclosure or misuse.
We are pleased to say that we are in compliance with Quebec Law 25 and that we take our responsibility to protect the personal information of our customers and employees very seriously. We will continue to monitor our compliance with the law and work to maintain the highest standards of privacy protection.