Security and compliance are top priorities for Dhound because they are fundamental to your experience with the product. Dhound is committed to securing your application’s data, eliminating systems vulnerability, and ensuring continuity of access.
Dhound uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.
If you would like to report a vulnerability or have any security concerns with a Dhound product, please contact firstname.lastname@example.org.
Dhound’s payment and card information is handled by Braintree, which has been audited by an independent PCI Qualified Security Assessor and is certified as a PCI Level 1 Service Provider, the most stringent level of certification available in the payments industry.
Dhound does not typically receive credit card data, making it compliant with Payment Card Industry Data Security Standards (PCI DSS) in most situations.
General Data Protection Regulation (GDPR) is a European regulation to strengthen and unify the data protection of EU citizens. As of the 25th of May 2018, all companies worldwide that store and process data about EU citizens will be required to comply with GDPR.
Based on the research conducted by both our inside and outside counsels we are confident these changes will address the requirements of GDPR. We will communicate these changes in detail around the first of the year.
Here’s a brief of our GDPR Roadmap:
Dhound uses hetzner.de with Germany data Center as a hosting provider. Hetzner hosting is compliant with ISO/IEC 27001. Hetzner data centers feature a layered security model, including extensive safeguards.
Dhound employees do not have physical access to Hetzner data centers, servers, network equipment, or storage.
Dhound is the assigned administrator of its infrastructure on Hetzner Platform, and only designated authorized Dhound operations team members have access to configure the infrastructure. Specific private keys are required for individual servers, and keys are stored in a secure and encrypted locations.
Dhound team has reach experience in penetration testing and conducts internal security analysis before each serious release.
Dhound undergoes black box penetration testing, conducted by an independent, third-party agency, on an annual basis. For black box testing, Dhound provides the agency with an isolated clone of a test client Dhound instance and a high-level diagram of application architecture.
Dhound has installed the intrusion detection system dhound.io on each server that allows to detect and react on a security events and incidents in real time.
Dhound is configured in High-availability model and uses properly-provisioned, redundant servers (e.g., multiple load balancers, web servers, replica databases) in the case of failure. As part of regular maintenance, servers are taken out of operation without impacting availability.
Dhound keeps regular hourly encrypted backups of data outside of the servers (dedicated file storage). While never expected, in the case of production data loss (i.e., primary data stores lost), Dhound will able restore data from these backups.
In the event of a region-wide outage, Dhound has a plan how quickly bring up a duplicate environment on another hosting provider within EU. The Dhound operations team has extensive experience performing secured migrations.
All data in Dhound servers is automatically encrypted at rest. RSA 2048 is used for backup encryptions. All private keys are kept separately from the live environment.
So, if an intruder were ever able to access any of the physical storage devices, the Dhound data contained therein would still be impossible to decrypt without the keys, rendering the information a useless jumble of random characters.
Dhound uses only world-standard encryption algorithms:
All communication are restricted with using only encrypted channels. Only TLS 1.0, 2.0, 3.0 and higher allowed. The current level of SSL Configuration is A+ (https://www.ssllabs.com/ssltest/analyze.html?d=dhound.io)
Dhound believes that good security practices start with our own team, so Dhound goes out of own way to protect against internal threats and local vulnerabilities. All company-provided workstations run antiviruses, strongly configured firewalls and other security features.
Dhound follows the risk management procedures outlined in NIST SP 800-30, which include nine steps for risk assessment and seven steps for risk mitigation.
All Dhound product changes must go through code review, CI, and build pipeline to reach production servers. Only designated employees on Dhound’s operations team have secure shell (SSH) access to production servers.
Dhound performs testing and risk management on all systems and applications on a regular and ongoing basis. New methods are developed, reviewed, and deployed to production via pull request and internal review. New risk management practices are documented and shared via staff presentations on lessons learned and best practices.
The Dhound operations team includes service continuity and threat remediation among its top priorities. Dhound keeps a contingency plan in case of unforeseen events, including risk management, disaster recovery, and customer communication sub-plans that are tested and updated on an ongoing basis and thoroughly reviewed for gaps and changes at least annually.
Dhound follows the incident handling and response process recommended by SANS, which includes identifying, containing, eradicating, recovering from, communicating, and documenting security events. Dhound notifies customers of any data breaches as soon as possible via email, followed by multiple periodic updates throughout each day addressing progress and impact.
Security Development Lifecycle (SDLC) is a software development process that helps developers build more secure software and address security compliance requirements. Combining a holistic and practical approach, the SDLC introduces security and privacy early and throughout all phases of the development process.
Security of development process is based on developed own version of security development lifecycle process IDS SDLC.