Quick links
Are development, test and production environments segregated?
Yes. Development, testing, staging and production environments are segregated.
Is data encrypted both at rest and in transit?
Yes. Access to our websites, applications and APIs is always secured with HTTPS. Our databases, backups, logs, caches and other storage where we keep customer data are encrypted at rest. Where applicable, intra application communication is also encrypted.
Technical details
At rest AES-256 encryption is used
Transit in and out is always HTTPS encrypted with TLS 1.2 or above (RSA with AES128-GCM-SHA256)
Intra-application transit, inside our production network is AES-256 encrypted
Will you require any access to the customer's internal network?
No.
Do you have an Intrusion Detection System (IDS), Intrusion Prevention System (IPS), Web Application Firewall (WAF) or DDOS protection in place?
Yes, we employ all of them, along with many other technical controls
What kind of physical security controls do you have at your offices?
Electronic keys assigned only to authorized personnel, alarm systems
How do you identify vulnerabilities and remediate associated risks?
Continuous penetration testing, automated network and vulnerability scans, dependency scans, container scans, infrastructure monitoring, human observations. Technical vulnerabilities are handled in accordance with the Vulnerability Management Policy. Other than technical vulnerabilities are handled in the risk management process.
What controls are in place to protect against malicious code?
Automated network and vulnerability scans, dependency scans, container scans, infrastructure monitoring. Malware protection (EDR) solution deployed to endpoints.
Do you use any open-source software as part of providing your services?
Yes, we use an extensive amount of open-source components as part of our software from Ruby on Rails to Kubernetes. We have an Open Source Policy, which entails e.g. the accepted licenses.
What kind of security controls do you have on your endpoints?
The following controls are enforced with an MDM solution to all company endpoints: automated security updates, screen lock after 10 minutes inactivity, full disk encryption, antivirus (EDR) solution
Are system and security patches applied to workstations and servers on a regular basis?
Yes, automated updates enabled on all operating systems where feasible, enforced with management solutions. In addition to technical capabilities, newsletters are followed to address potential zero-day finding workarounds while waiting for official patches.
What kind of measures do you have in place to ensure the rapid restoration of the availability of data after its interim loss or damage?
Production infrastructure is built on fault-tolerant systems that ensures customer data is stored redundantly across multiple data centers (AWS availability zones). Backups are taken regularly and backup restoration tests are conducted at least annually.
What availability guarantee do you offer? Do you have a public status page?
Dealfront provides the Services as defined in our General Terms and Conditions (GTC), paragraph 4.12. Our public status page with a status update subscribe opportunity is available here: https://status.dealfront.com
Do you have a bug bounty program or do you conduct timely penetration tests?
Yes, we run a private bug bounty program on HackerOne, where ethical hackers do continuous penetration testing against our defined assets. The latest report is available here.
Do you vet applications and browser extensions installed on endpoints?
Yes, we have a process to vet both applications and browser extensions.
--
Questions, comments, feedback? Please let us know by contacting our support team via the chat or by sending us an email at support@dealfront.com.