Security and Dedoose

SECURITY

Overview

Dedoose was designed from the ground up knowing that security would have to be the single most important factor if we were to successfully build and provide access to cloud-based research platform. On this page, we will outline all of our policies, practices, and certifications of which we are currently aware and how they are implemented in Dedoose. If a particular certificate of importance to you is not addressed here, please let us know so that we can research and update this document. Listed below are some of many certifications Dedoose and our cloud hosting provider (Microsoft Azure) have passed:

  • ISO/IEC 27018
  • ISO 27001
  • HIPAA
  • FedRamp Moderate
  • SOC 1 and SOC 2
  • SAS 70 Type II / SSAE 16 SOC
  • US-EU Data Shield Compliance
  • GDPR

GDPR (General Data Protection Regulation):

We at Dedoose are very happy to see personal privacy and security controls increased over people’s personal data. Dedoose has, and always will be committed to protecting all user’s personal information and data. This includes not selling or trading your personal information or data with any 3rd parties, explicitly requiring opt in for communications, providing mechanisms for you to be able to view and export your data, control your personal data, and permanently delete all your data, and all personal information stored in or by Dedoose. In addition to the data security and protection standards ISO 27001 and SOC 2 Type 2, Dedoose participates in and is certified in compliance of the EU-US Privacy Shield Framework with respect to data transfers to the US.

Data use & sharing:

  • Dedoose does not share any customer information with any 3rd party organization. We respect your rights to your data and do not access or use your data in any way without your explicit permission or justification.
  • Canary Statement: Dedoose has not at the time as of this update (3/12/2018) provided any agency with any customer data for any reason at any time. If someone at an agency has made a legal request for customer data, we promise to use every action available to obscure, and delay this request and use all legal avenues available to reject and inform the affected user(s) of said request.

Physical Security:

Data centers managed by Microsoft have extensive layers of protection: access approval, at the facility’s perimeter, at the building’s perimeter, inside the building, and on the datacenter floor. This layered approach reduces the risk of unauthorized users gaining physical access to data and the datacenter resources. Please see https://azure.microsoft.com/en-us/blog/azure-layered-approach-to-physical-security

Data Communication Security:

All data communication through Dedoose occurs through a 2-lock system. First, Dedoose sets up an AES (Advanced Encryption Standard)-256 CBC (Cipher Block Chaining) Encrypted SSL/TLS (Secure Sockets Layer) tunnel using a premium SSL/TLS-EV certificate. All communication following this channel is encrypted. The user is not prompted for login information until this communication channel is established. The server then provides the Dedoose client with a one way write key using RSA encryption. The Dedoose client then applies a per user salt hashing algorithm (SHA-256) and encrypts this result with the one-way write key, RSA, to verify the user password. This means Dedoose does not store user passwords. Rather, the system stores the known result of this algorithm against the username and password and then compares that result to the result the Dedoose client sends to the server for authentication, and prevents both man in the middle attacks, as well as brute force password attacks, and, in the event our database is compromised, user passwords will not be revealed. This login system follows the security industry’s best practices and has been verified by Leviathan Security Group.

Data Access Security:

Dedoose includes an account workspace and project security workspace for managing per user data access. This includes the ability for an account’s administration to manage users, enable, disable users, reset user passwords, and define users, groups, and permissions at a granular per-project level. This security is enforced both on the client-side and the server-side.

Data Storage Security:

Dedoose is hosted on Microsoft’s Azure US servers with all project data backed-up in-full on a nightly basis, encrypted using AES-256 processes, and transferred automatically to redundant storage volumes. One of these volumes is on-site, while the other two are off-site and replicated across geographic regions. All project file data are encrypted and stored in a Microsoft Azure fault tolerant storage volume and, for added safety, this storage volume is encrypted and mirrored in real-time to an Amazon S3 storage volume in the same geographic region. To ensure these processes are working as designed, an automated program runs weekly which includes: a) downloading the most recent backup files from each storage volume, b) verification the backup file is the correct version, c) a full test restoration of the database to assure data integrity, and d) email reporting of all backup and restoration process results to key members of the Dedoose Admin team.

Data Retention:

By default, Dedoose keeps a backup of all data for restoration purposes for a period of 2 years. This data backup is encrypted using AES256. A user can delete their project from Dedoose at any time and we can remove that data permanently from our backups by a certified written request if needed.

Audit Policy—Dedoose undergoes a variety of security and compliance related audits on the following schedules:

  • Real-time automated access and log audits
  • Real-time performance and exception auditing
  • Monthly automated vulnerability and penetration testing audits
  • Monthly manual internal vulnerability and configuration audits
  • Bi-Annual 3rd party red-team penetration testing audit performed by Leviathan Security Group

Data Breach Notification and Incident Response Plan:

Dedoose hosts all data within the continental U.S. unless agreed upon and determined as needed on a project-by-project or organization-by-organization basis. Dedoose has a systematic plan for response and notification of any breach in data security. Upon the detection of any breach in data security, Dedoose technical staff, led by the Dedoose Chief Technical Officer, will immediately assess the size, scope, and severity of the breach. Following this assessment, Dedoose will notify all project administrators of projects that may have been involved and communicate the response plan. Depending on the nature and cause of the breach, Dedoose will take appropriate action to prevent any future breach and then, to the extent reasonably practicable, restore the integrity of all Dedoose project data that had been affected. Further details about this notification and response plan will be provided upon request.