DecoNetwork maintains the highest standards in server security to ensure that your information is protected. DecoNetwork has an extensive set of security measures in place to guard our servers against security vulnerabilities, such as data theft, spam, site hijacking, data corruption, and denial of service attacks. You can rest assured that DecoNetwork follows industry standards and best practices to protect our servers against security risks.
This page provides you with answers to the frequently asked questions about DecoNetwork's server security measures.
Compliance with Security Standards
Question: Is DecoNetwork PCI compliant?
Answer: DecoNetwork is Level 1 PCI DSS compliant. This compliance extends to all online stores powered by DecoNetwork.
PCI DSS is the standard for protection of customer credit card information. For more information visit the PCI Compliance Guide website.
Question: How can I verify DecoNetwork's current PCI DSS compliance status?
Answer: You can run a PCI test against your DecoNetwork store using a free online PCI compliance test tool. Search "free PCI compliance test tool" in your browser to find a tool.
Question: What Protocols does the DecoNetwork application support?
Answer: DecoNetwork supports JavaSrcipt Object Notation (JSON), an open standard, human-readable file format for exchanging structured data between servers and web applications.
Question: Are DecoNetwork’s security operations, policies, procedures, and standards compatible and in compliance with the ISO 27001 Security Standard?
Answer: DecoNetwork follows the practices outlined in the PCI Data Security Standard, where applicable, to keep information access secure.
Question: Does DecoNetwork have SOC 2 Type 2 certification?
Answer: DecoNetwork does not have SOC 2 Type 2 certification. However, DecoNetwork is fully PCI DSS compliant. If a client wishes to pay the total cost of a SOC 2 audit, we are happy to enter discussions and make arrangements for the audit.
Server Hardening Processes
Question: How does DecoNetwork secure its servers?
Answer: We do a number of things to protect your data against the most sophisticated cyber attacks. The following is a subset of our server security practices:
- DDoS Protection: We employ a third-party DDoS protection and migration service (DOSarrest) to protect against DDoS (Distributed Denial of Service) attacks. All traffic is routed through the DOSarrest network.
- SSH Key Authentication: SSH Keys are used to secure the DecoNetwork server against unauthorized access. SSH Keys provide strong authentication for system administrators and secure encrypted data communications over the Internet.
- Secured Data Centers: DecoNetwork's servers are located in highly secure, third-party data centers with multiple layers of security controls to protect against unauthorized access and environmental threats.
- PCI Vulnerability Scanning: We use standard PCI scanning to identify security vulnerabilities such as SQL injection and cross-site scripting (XSS) mistakes. Standard development practices are followed to prevent them.
- Sandbox Security: We use docker containers to isolate the application in a sandbox environment to detect security threats and keep vulnerabilities from spreading.
- Two-Way Firewall: We have configured firewall rules to monitor both inbound and outbound connections for unwanted traffic.
Question: What are DecoNetwork's platform monitoring and reporting capabilities?
Answer: DecoNetwork carries out real-time monitoring at the IP, firewall, application, hardware node, and facility levels using a number of off-the-shelf and custom solutions.
Question: How does DecoNetwork monitor for threats?
Answer: DecoNetwork employs a number of tools to monitor server activity for malicious threats and intrusion attempts. We run OSSEC, a host-based intrusion detection system (HIDS), and Zabbix, a monitoring solution, to be notified of potential security and system issues. We also subscribe to vulnerability RSS feeds (www.cvedetails.com) to be notified of any known exploits for all software we are running.
Application Level Security
Question: Is the DecoNetwork application available as a public cloud, private cloud or on-premise install?
Answer: The DecoNetwork application is a public cloud service.
Question: How is my password secured?
Answer: DecoNetwork account passwords are securely stored using one-way salted hash encryption. This means that passwords are not transmitted or stored in clear text.
Question: How are user accounts managed?
Answer: User accounts to your DecoNetwork subscription are managed by you. You can add a number of users with different permissions in the back end of your DecoNetwork account. The number of user accounts you can add depends on the plan that you subscribe to.
Question: Does DecoNetwork support SSO (single sign-on)?
Answer: DecoNetwork supports custom SSO integration in the form of an API add-on that uses the JWT (JSON Web Token) single sign-on. Note that only Enterprise customers have access to this add-on. (Enable via the App Store).
Physical Security
Question: Where are DecoNetwork's servers located?
Answer: Our servers are located in top-tier third-party data centers in the US. Our main application is hosted with Aptum in Los Angeles. Some elements of our service, including the CorelDRAW vector engine, are hosted with AWS.
Question: What is the address where customers' digital data will be stored?
Answer: The primary live site is in Los Angeles and the standby site is in Florida. We do not disclose actual locations, however, they are managed by Aptum.
Question: How is physical equipment secured?
Answer: This is done by our server providers, Aptum and AWS.
Both Aptum and AWS data centers have a combination of access controls and environmental safeguards in place to secure physical equipment.
Aptum safeguards against unauthorized access include:
- 24x7x365 video surveillance monitoring of the data center complex
- Centralized card access control system with dual-factor biometric authentication
- Mantrap entry system to prevent tailgating
Aptum safeguards against environmental factors include:
- All network equipment is on dedicated UPS/battery backup to ensure uptime
- Generator power backup with 24hrs on-site fuel storage capacity in the event of a power outage
- Redundant air distribution on all mechanical components
- Pre-action dry pipe fire suppression system
- Hot/cold containment; Cold aisle contained with polypropylene strip door, blanking panel in cabinet
AWS safeguards against unauthorized access include:
- Locations in nondescript facilities
- 24/7 trained security guards
- Record keeping, video recording, storage and review of all physical access to the facilities
- Multi-factor authentication for physical access
AWS safeguards against environmental factors include:
- Automatic fire detection and suppression equipment
- Uninterruptible Power Supply (UPS) units to provide backup power in the event of an electrical failure
- Climate and temperature control to prevent overheating and reduce the possibility of power outages
Question: What are DecoNetwork's platform monitoring and reporting capabilities?
Answer: DecoNetwork carries out real-time monitoring at the IP, firewall, application, hardware node, and facility levels using a number of off-the-shelf and custom solutions.
Data Security
Question: What information does DecoNetwork collect?
Answer: DecoNetwork collects information, including personally identifiable information (PII), for use only within the context of your DecoNetwork website. We collect customers' email, name, phone, login, and address. An IP address is stored in a login audit log, and against orders. Credit card details are not stored.
This information is collected mainly for the purpose of processing transactions. It also serves to improve customer service and improve service efficiency.
Question: How does DecoNetwork protect my information?
Answer: DecoNetwork uses Secure Sockets Layer (SSL) technology to transmit your information over a secure connection. Customers' PPI is protected by the DecoNetwork application by only allowing access by authorized users.
Question: Will the customer's digital information be shared with a third party at any time?
Answer: Personal data is not shared by DecoNetwork with any third parties with the exception of any data that is required by a third party when access to that service is requested by a DecoNetwork customer, ie, a third-party payment gateway or shipping provider. Levels of protection match or exceed that provided by DecoNetwork. Wherever possible, personal data is not shared.
Question: How long is client data retained?
Answer: Client data is removed within 90 days of cancellation, with the exception of account holder contact information for security purposes. No data is shared with third parties.
Question: How does DecNetwork securely destroy data when a customer asks to delete their personal data?
Answer: DecoNetwork uses overwriting to destroy or permanently de-identify personal information if it is no longer needed for any purpose. This process erases the old data and renders anything left completely unreadable.
Question: When disposing of computers, tapes, hard drives, or any other electronic media that contains client information, is all the data securely erased?
Answer: Data is erased using overwrite procedures but not specifically in accordance with any standard, as the data is not stored in ways that make any data readable, identifiable, or useful and is hosted on third-party cloud service providers that have strong safeguards against unauthorized access.
Question: What mechanisms exist for me to access the data that DecoNetwork collects?
Answer: You can use a JSON API, an application programming interface, to access order information. You can use CSV export methods to access customer details.
Question: How readily available is the clients' data if required for backup purposes and/or if the contractual agreement should end?
Answer: Customers can easily retrieve their data through the tools provided at any time.
Question: How does DecoNetwork safeguard my data?
Answer: DecoNetwork has the following safeguards in place to ensure that your data remains secure, private, and available at all times:
- Data Encryption: All data transmission to DecoNetwork is encrypted using industry-standard data encryption - PKCS #1 SHA-256 with RSA encryption protocols.
- SSL Authentication: SSL (Secure Socket Layer) certificates are used to authenticate the identity of your business and encrypt the data in transit.
- Secure Communication: All sensitive information and backend management is transmitted over the HyperText Transfer Protocol Secure (HTTPS) transport protocol.
- Regular Realtime Remote Backups: To support data recovery, a rolling incremental, full snapshot of the database containing all information stored in the DecoNetwork application (including at the transaction level) is taken multiple times a day. We are automatically notified of any issues with backups.
Question: Does DecoNetwork regularly conduct privacy and security audits?
Answer: Yes, DecoNetwork conducts the audits continuously.
Question: Who conducts the audit?
Answer: Senior development management.
Question: What is the most recent audit summary?
Answer: We do not share this information.
Question: What is DecoNetwork's procedure for restoring data should an issue occur?
Answer: The procedure depends on the issue. A full database restore of the system may be required, which involves the system being taken offline, or a partial database restore which may or may not involve downtime.
Question: How are clients notified in case of a security breach?
Answer: In the event of a security breach, we will notify clients affected by the breach immediately by email and by telephone.
Question: If a security or privacy breach is suspected, describe the investigative capabilities available to the client.
Answer: We do not offer access to the platform beyond user-level access as elevated privilege would be a security risk. Therefore, clients have no way to investigate server-side issues for themselves. Be assured that we conduct thorough investigations as an integral part of our data breach response to identify the cause of the breach and what data has been compromised. We take immediate action to contain the breach to prevent any further compromise and eliminate the causes.
Question: Does DecoNetwork's hosted Software as a Service (SaaS)solution provide data segregation through a unique tenant and database?
Answer: No. An Access Control List (ACL) is incorporated into the solution at the lowest levels.
Security Logs
Question: Does DecoNetwork perform security logs?
Answer: Yes, DecoNetwork logs system activity in order to enable security reviews and analysis of the logs to help diagnose issues.
The DecoNetwork application keeps an internal audit log on major functions. A detailed DecoNetwork application request log is kept for 90 days. A log of every row-level change to our database is kept for over 90 days for internal use in tracking down any issues.
Business Hub keeps an order-centric event log for all major events related to an order.
OSSEC, a host-based intrusion detection system (HIDS), is used to analyze all server system logs and notifies DecoNetwork administrators when a rule is triggered.
Question: How can I access the logs?
Answer: Business Hub event and change logs are available within Business Hub. Other logs are only available to DecoNetwork.
Question: How do you monitor interactions between our systems and alert us of issues?
Answer: We do not monitor interactions between your system and ours.
If your system depends on an endpoint provided by DecoNetwork, it is your responsibility to monitor that endpoint. We internally monitor many systems and their metrics to proactively notify our internal technical staff before system issues occur. We monitor our system from an external perspective using PingDom, a website performance monitoring tool.
Comments
0 comments
Please sign in to leave a comment.