Understanding Shared Responsibility with Dexero
Dexero takes responsibility for creating safe, reliable and robust products. While we maintain the cloud infrastructure, you are responsible for securing your data and the settings you configure within the Dexero apps.
When using Dexero, data security and privacy is a shared responsibility between you and us. Here is a model that describes the high-level architecture of our cloud environment, which is software as a service (SaaS), and the associated responsibilities.
Customer responsibility
- Responsibility for data
- Passwords
- Client and endpoint security
Shared responsibility
- Identity and access management
- Data management
- Data management to other parties
- encryption
- Backups
- Incident management
- Awareness and training
- Policy and Compliance
Responsibility of Dexero
- Data Security
- Availability
- Business Continuity
- Network controls
- Host infrastructure
- Physical security
We’ve put together this guide to help you understand the steps Dexero takes to keep your account secure, what you can do to secure your data, and how we can work together to ensure a secure environment. cloud.
Customer responsibility
Let’s look at your role in protecting your data in the cloud and keeping your devices secure.
Data responsibility
As a user, you are responsible for the following:
- The data you share and receive through the cloud. You choose who you share them with, how they are shared and for how long.
- You are responsible for the confidentiality of the data you manage using the Dexero services. You must ensure that you do not accidentally or intentionally make private content publicly available.
- You must guarantee the accuracy of the data you process in your system.
- To ensure that the Dexero Services are used only for their intended purpose, you must ensure that your Dexero Service Account is not used illegally or for spamming purposes, either by you or by any third party. acting on your behalf.
Passwords
It is your responsibility to create a strong password and protect it when using it to log in and access the cloud.
Client and endpoint security
- If one of your access points, such as your laptop, desktop or smartphone, is compromised, all other security controls will be ineffective.
- As responsible for the security of your access points, you must ensure that your browser services, your mobile operating system and your mobile applications are regularly updated to the latest version. You should also apply the necessary patches to fix the vulnerabilities.
Shared responsibility
Responsibility for control that will apply to both you and Dexero
Identity and access management
We provide an infrastructure to manage user accounts through our Identity and Access Management (IAM) service. We offer the following features:
- User Registration, Opt-Out Options and Usage Specifications.
- Ability to manage user access rights to your cloud.
- Strong authentication techniques, such as multi-factor authentication and IP address restriction.
You are responsible for the following:
- Apply strong controls for managing user access.
- Setting up strong passwords in accordance with the organization’s security policy and protecting those passwords.
- Enable multi-factor authentication for users in your organization.
- Administration of user accounts and privileges: configuration of user roles according to the principle of least privilege.
- Defining organization account administrators and adopting an appropriate process for ownership transfers. We also take steps to ensure that your organization retains control of administrator accounts.
- Periodically check the list of users with access to the data and remove access for anyone who should not have access.
- Regular review of devices linked to organization user accounts and removal of unused or unauthorized devices.
- Monitoring your organization’s user accounts for malicious use or access.
- Notification to Dexero of unauthorized use of your organization’s accounts.
- Educating your users on effective password management, risk of credential reuse, social logins and phishing attacks.
Data managment
We offer you a platform to manage your data thanks to the following functions:
- Data sharing features are available for administrators and users, with auditing features to provide transparency into important activities and track changes to customer data.
- Our service also offers data interoperability, which means that you can perform a complete backup of data and configurations to migrate them to another SaaS provider.
- We keep your data in your account for as long as you use Dexero’s services, and when you terminate your user account, your data is deleted from the active database during the next cleaning (performed every six months).
- Any data deleted from the active database is also deleted from backups after three months.
- To ensure the privacy of customer data, our service offers access restriction features to prevent employees from accessing customer data unless there is a specific reason.
You are responsible for the following:
- When processing special category information, such as personal/sensitive data, it is important to exercise due diligence by applying appropriate controls to comply with the requirements of applicable law.
- It is also essential to set up sharing and viewing permissions correctly and to regularly review audit reports to identify any suspicious activity.
- We also recommend that you keep your contact information up to date with Dexero. If you decide to no longer use our services, it is important to remove your data from the system. Otherwise, this data will be permanently deleted without any possibility of recovery.
Data management to other parties
We will strive to implement secure integrations and extensions for our apps by doing the following:
- Plugins : performing functional, security and privacy testing when an application is submitted to us. We also review content.
- Sub-processors : With respect to indirect sub-processors used by us, Dexero Company assesses their security and privacy practices to ensure that they comply with Dexero’s standards for data privacy and security. information.
We then establish appropriate data protection agreements with these sub-processors.
- We also review our vendors’ privacy policies and terms of service to ensure that their operations meet our standards.
Here is what we expect from you:
- You have the option to enable or disable third-party integrations. It is recommended that you study the privacy policy and terms of service of third parties to understand how they collect, use or disclose data.
- It is important to assess the suitability of plug-ins and check whether the permissions requested before installation are reasonable.
- In case of identified malicious behavior in the add-ons, we recommend that you inform Dexero.
Rights of Data Subjects
We are responsible for the following:
- We provide our clients with features to enable them to satisfy and protect the rights of their own clients.
- We will inform you of requests from your customers when they contact us directly to exercise their rights.
It is your responsibility to:
- Respect and respond to our customers’ requests for access to, rectification or deletion of their data, as well as restrictions on the processing of their personal information.
Data encryption
We use security measures to protect your data, such as encryption in transit and at rest.
- For data in transit, we use strong encryption protocols, such as TLS 1.2/1.3 with strong ciphers, for all connections, including web access, API access, our mobile apps, and access IMAP/POP/SMTP.
- As for the sensitive data stored, it is encrypted at rest with the AES (Advanced Encryption Standard) 256-bit algorithm. The selection of data that is encrypted depends on the service you have chosen. We manage encryption keys using our own internal Key Management Service (KMS).
On your side, it is recommended:
- When data is downloaded or exported from our cloud to your environment or when synchronized with third-party integrations such as Dexero, you must ensure that the appropriate encryption controls are applied. It is recommended that you enable disk encryption on your devices and use features such as export with password protection to enhance data security.
Incident management
For our part, we take care of the following points:
- We report any incidents of violations that we know of that concern you, providing details of the impact and the action taken.
- If the incident is specific to a user or organization, we will notify them by email at the address registered in our services. We are tracking these incidents and working to resolve them.
- We also apply controls to prevent the recurrence of similar situations.
- If you request it, we can provide additional evidence relating to the incident in which you are involved
Here is what we expect from you:
- You follow Dexero’s recommendations in the event of a breach and you are in compliance with the disclosure and notification requirements in the event of a data breach. This includes notifying end users and data protection authorities where relevant.
- You also notify us of security and privacy incidents that you have identified by emailing support@dexero.com.
Awareness and training
We are responsible for the following:
- Train our employees to make them aware of security issues and teach them secure development practices. Our employees receive regular security training via informational emails, presentations and resources available on our intranet. In addition, new employees must complete mandatory security and privacy training.
- Train our employees on the proper management of customer data stored on our cloud service.
For your part, you are responsible for training cloud users on the following elements:
- The standards and procedures relating to the use of our services.
- Risk management related to our services.
- Risks to the overall system and network environment.
- Applicable legal and regulatory considerations.
Policy and Compliance
We follow the guidelines below:
- We have a comprehensive program in place to manage risk and we apply controls effectively.
- We comply with the laws of all jurisdictions where we do business.
- We provide evidence of compliance with applicable laws and we honor our contractual commitments.
- We assist our clients in conducting Data Protection Impact Assessments (DPIAs) where permitted by applicable laws.
On your side, we expect you to:
- Assess the regulations and laws applicable to your business and that you verify whether we comply with these required regulations and standards. You may request additional information for evidence of our compliance.
- Understand our strategies, our methods of evaluating strategies and our processing of data.
- Perform DPIA assessments in accordance with data protection laws applicable to your business before or during data processing.
- Ask about the legal basis for any processing of personal/sensitive data and obtain consent from your customers if that legal basis is based on consent.
- Assess the suitability of our cloud services based on the information we provide and ensure that the information is sufficient to meet your compliance needs.
- Understand the risk profile and sensitivity of data hosted on Dexero services and apply appropriate controls.
Responsibility of Dexero
We are responsible for cloud protection and associated controls that run all Dexero services.
Data Security
- We logically isolate each customer’s data using a set of secure protocols within our structure to prevent outside intrusion.
- We ensure the confidentiality of your data by taking care of its security during storage, transmission and processing.
- We guarantee the integrity of your data, including system data such as logs and configurations.
- We ensure the traceability and control of your data by providing information on their physical location and their processing at all times.
Availability
- According to our service agreement, we are required to guarantee 99.9% availability of our services. Thus, we support the management of hardware and software failures as well as potential threats, such as denial of service attacks.
- As a customer, you can access status.dexero.com at any time to view the current status of our services or obtain information about past disruptions.
Business Continuity
- We are required to have a business continuity plan in place for our core operations such as infrastructure management and customer support.
- We will ensure that application data stored in resilient storage will be replicated across all of our data centers. Data from the primary data center will be replicated in near real-time to our secondary data center. Thus, in the event of a disaster, we can quickly switch to our secondary data center to ensure the continuity of our services.
Network controls
We have a responsibility to maintain a secure production network using firewalls to prevent unauthorized access and malicious traffic flow. Strictly controlled access is in place for production networks.
Host infrastructure
We are responsible for protecting and securing the host infrastructure, which includes all servers that are part of the production network. We apply enhanced standards to all of these servers to ensure their security. Additionally, we use operating system patch management, baseline configuration, and host-level intrusion detection technologies to maintain infrastructure security.
Physical security
It is our responsibility to guarantee the protection of our infrastructure against unauthorized physical access, intrusions and disasters.
Conclusion
The Cloud Security Shared Responsibility Model clearly articulates security expectations for users and cloud service providers. However, to fulfill their responsibilities, users must take concrete steps by developing policies and procedures for cloud security. While Dexero is committed to maintaining the security of your data and providing a secure cloud environment, it is important that users take steps to fulfill their part of the responsibility. If you have any additional questions on this subject, please do not hesitate to contact us at info@dexero.com.