Security

"Security is a Job, it's our job!"

Your data security is our top priority

The security of your data is crucial to your organisation’s survival. Data theft and loss, non-compliance with legal procedures such as the GDPR or even the cost involved with wasting time due to a service interruption can cause any company considerable damage.

Your data security is vital to you and even more so to us.

Whether it means protection against external piracy, internal security breaches, the dissemination of information or human error, security is essential to our customers and that is an integral part of our service. Our entire organisation focuses on this one objective: offering you the highest level of security possible.

A STRONG SECURITY CULTURE

DiliTrust is ISO 27001 certified. This certification includes all aspects of our services, even customer support and operations. ISO 27001 provides recommendations in terms of good information security management practices. Its scope is deliberately very wide-ranging, covering more than just protection, confidentiality and even technical or security matters.

All of our employees are ISO 27001 trained from their very arrival at the company and receive continuous training throughout their careers. Ongoing training makes it possible to ensure our teams stay up-to-date on the constant evolution of information security. Moreover, everyone who works with us signs a confidentiality agreement.

As part of our integration strategy, we also spread awareness among our customers for security rules and issues, for example, password and tablet management policies.

infrastructure

SERVER LOCATIONS

Our servers are certified as compliant with the highest security standards and are located in France.
The data hosted is not shared in the cloud and are not subject under any circumstance to the US CLOUD Act (and PATRIOT Act), thus ensuring our customers have continuous control of their sensitive data.

PHYSICAL SECURITY

Another important aspect of our data security is physical security. Physical access to the data centre is controlled by a badge system, video surveillance and onsite personnel 24/7.
The premises are equipped with smoke detection systems and an automatic dual power system with backup generators featuring initial 48-hour autonomy. Additionally, they are equipped with two redundant network connections to prevent dependence on any one internet provider.
Moreover, all systems are protected against flooding, fire and other environmental risks.

ULTRA SECURE HOSTING

In order to constantly enhance data protection and guarantee the confidentiality of all information, all DiliTrust systems and data are hosted on servers which have received the most demanding international certifications in IT security.
Hosting is also ISO/IEC 27001:2013 certified. This standard guarantees the implementation of an Information Security Management System (ISMS) for data security. ISO 27001 also defines control measures to ensure the systems offered to our customers have the highest level of security.

24/7 CONTROL AND SURVEILLANCE

Our systems are under 24/7 surveillance, particularly against any attacks or technical events:

  • Hardware surveillance (RAM, CPU and storage use rates), app performance surveillance;
  • Automatic alerts when suspicious activities are detected;
  • Firewall, IDS (Intrusion Detection System), anti-flood system (DDoS) and protection against brute-force attacks.

All servers have disks and redundant network access as well undergo a daily backup system.

BACKUPS

The entire system is backed up every day and stored in a completely different location under the same security conditions as the production servers and in the same country (thus, in the same jurisdiction).
Backups are saved for seven days and then definitively destroyed without any possibility of recovery. Example: the backup file for Monday automatically deletes the file from the preceding Monday.
A second operating system is available for any situations of force majeure to restart the service (during DNS propagation time).

ENCRYPTION

« DATA-AT-REST » : AES 256

All confidential data-at-rest are AES encrypted (Advanced Encryption Standard, Rijndael) with a 256-bit key, which is the highest encryption standard today.
This is true for both servers as well as mobile devices (for locally stored data).

« DATA-IN-MOTION » : HTTPS 256 BITS

Our standard for all traffic (data-in-motion) on or off our servers is systematic TLS encryption (TLS 1.2 or higher) with the highest encryption level (256 bits). No unencrypted traffic is authorised.
Only modern and secure browsers (IE11, Edge, Firefox, Chrome, Safari) and native DiliTrust mobile apps are used. Access to obsolete and non-secure browsers (such as IE8) is denied.

HARDWARE SECURITY MODULE (HSM)

A Hardware Security Module (HSM) is a digital safe. It’s a dedicated cryptographic processor specially designed to protect encryption keys throughout their lifecycle.
HSM works as a trustworthy base that protects the cryptographic infrastructure for our apps by managing, processing and securely storing encryption keys on a server with specially reinforced unassailable security. HSM technology helps us provide our customers with the highest level of encryption for their data and the highest level of security currently available.

BRING YOUR OWN KEY (BYOK)

Our customers can host their own HSM (pursuant to PKCS11) to protect their encryption key. All our customers’ data are encrypted with their own key. These keys are then secured in the client HSM and not in the provider’s HSM.

OTHER SECURITY FEATURES

SECURE PASSWORDS

Each user is identified by a unique username and password. All users must choose their own secure password. No password is ever sent by email or posted at any time to anyone. Passwords are stored in hash form with injective one-way encryption.
The minimum default password policy is as follows:

  • They must include three different types of characters (lower case, upper case, numbers or special characters).
  • A minimum of 10 characters.

The procedure for obtaining or recovering a password: email with a secure one-time access link (expiring after 24 hours and after the first use).
Each request made to the servers is authenticated to verify the user’s identity and whether the user has the proper authorisation to execute the requested action. The request is processed for execution only if all controls are successfully validated.

STRONG SMS AUTHENTICATION (TFA)

TFA (Two Factor Authentication) can further reinforce user security when accessing the application. After entering a login and password, the user receives an SMS code to complete the authentication process. Each code may only be used once and corresponds to a specific login attempt.

AUDIT

In order to ensure the highest level of security, we apply three redundant control levels: internal audits, weekly automatic audits and yearly external human audits.
If a security breach is detected, it is corrected as quickly as possible. Recommendations and best practices are systematically applied.

AUDITS INTERNES

DiliTrust applies strict internal procedures as concerns security:

  • Security by design: the development teams are trained on different intrusion techniques and the secure code for protection against them;
  • Internal code review procedures and security tests before rolling out any new feature;

Internal security tests and the use of various security audit tools, mainly those available through Linux Kali distribution.

EXTERNAL AUDITS BY INDEPENDENT EXPERTS

We have full security audits conducted at least once a year by an external independent company that specialises in IT security (non-automated human intrusion tests).
A security report is generated at the end of each test; any breaches are immediately corrected and recommendations for improvement are applied as soon as possible.

AUTOMATED AUDITS (QUALYS)

Our systems are secured by Qualys. The service is subject to a intensive weekly security sweeps on a server level (firewall configuration, ports, updated software versions, SSL configuration, etc.) as well as the application level (XSS, injection SQL, session hijacking, etc.)
It is tested to successfully pass all recommendations for external vulnerability audits from the following organisations:

  • Department of Homeland Security’s National Infrastructure Protection Centre (NIPC)
  • OWASP Top 10 Most Critical Web Application Security Risks
  • SANS/FBI Top 20 Internet Security Vulnerabilities list
  • Visa’s CISP and AIS
  • Mastercard’s SDP
  • American Express’ DSS
  • Discover Card’s DISC security standards.

 

DiliTrust also complies with the security criteria established in regulations such as:

  • Health Insurance Portability & Accountability Act (HIPAA)
  • Gramm-Leach-Bliley Act (GLBA)
  • Sarbanes-Oxley Act (SOA)
  • Government Information Security Reform Act (GISRA)
  • Canada’s Personal Information Protection and Electronic Documents Act.

 

    

Download