Information Security is Our #1 Priority
Our customers entrust us with their most strategic information. We owe them the highest level of security in return.
Our servers are located in France, Canada, Morocco, and the United Arab Emirates. The data is neither shared on the cloud nor accessible to the U.S. Cloud Act or to the Freedom Act. The data is encrypted during transmission and storage. DiliTrust Exec is ISO 27001 certified.
Three Different Levels of Protection
1: Physical infrastructure:
ISO 27001 certified hosting
In order to continuously improve data protection and ensure the confidentiality of all information, DiliTrust Exec board portals are hosted on servers that have obtained certifications in the field of computer security.
The hosting is certified by the international standard ISO/IEC 27001:2013. This standard guarantees the implementation of an Information Security Management System for data safety. ISO 27001 also defines control measures to ensure the relevance of the system to provide our customers with very high level security requirements.
All confidential data at rest is encrypted using the Advanced Encryption Standard (AES) with a 256-bit key. It is encrypted both on servers and on mobile devices (for locally stored data).
We use TLS encryption (TLS 1.0, 1.1 and 1.2 protocols only) with the highest levels of encryption (256 bits) for all traffic (moving data). No unencrypted traffic is permitted. Only modern and secure browsers are supported (IE9 +, Firefox, Chrome, Safari) and mobile applications are native. Access is denied when browsing with obsolete and insecure browsers (such as IE6).
2: Server-application level:
Three levels of redundant security controls are in place: internal audits, daily automated audits and periodic human external audits. If a security vulnerability is discovered, it is corrected as soon as possible. Recommendations and best practices are applied systematically to achieve the highest security possible:
- Internal audits
DiliTrust applies strict internal procedures to enforce best security practices:
- Internal “code review” procedures and safety tests before each new functionality is put into production.
- Internal security testing and use of various security audit tools.
- Automated and daily intrusion tests
Our system is secured by Qualys. It is subjected to an intensive daily scan of security level server (config firewall, ports, updated software versions, config SSL etc.) but also level applications (XSS, injection SQL, hijacking session etc.)
Qualys intrusion testing ensures that the security of the application complies with all PCI (Payment Card Industry Data Security Standard) security requirements and external vulnerability audit recommendations from the following organizations:
- National Infrastructure Protection Center (NIPC)
- Department of Homeland Security
- Top 10 OWASP
- VISA Vulnerability Verification Requirements
- AIS, SDP MasterCard, American Express DSS
- DISC Discover Card Safety Standards
- Discover Card’s DISC security standards external audits by independent experts
Once or twice a year, we conduct a complete external security audit carried out by a third party specialised in computer security (non-automated “human” intrusion tests).
3: Client level:
TLS encryption, 256-bit key
Each user is identified by a unique username and given a temporary password. All users have to change their password on first login. The default password strength enforces a “strong” password policy. Passwords are saved as hash after unidirectional (injective) encryption.
Each request made to our servers is authenticated to verify the identity of the user and whether the user has the appropriate permissions to perform the requested action. The request is transmitted for execution if, and only if, these checks are successfully validated.
A strong authentication by text message (TFA = Two factor authentication) option: following the entry of its login and password, the user receives a SMS with a code to enter in order to finalize its authentication. Each code is a single-use one and corresponds to a specific connection attempt.