Deconetwork has an extensive set of security measures in place to guard our servers against security vulnerabilities, such as data theft, spam, site hijacking, data corruption and denial of service attacks. You can rest assured that Deconetwork follows industry standards and best practices to protect our servers against security risks.
This page provides you with answers to the frequently asked questions about DecoNetwork's server security measures.
Compliance with Security Standards
Question: Is DecoNetwork PCI compliant?
Answer: DecoNetwork is Level 1 PCI DSS compliant. This compliance extends to all online stores powered by DecoNetwork.
PCI DSS is the standard for protection of customer credit card information. For more information visit the PCI Compliance Guide website.
Question: How can I verify DecoNetwork's current PCI DSS compliance status?
Answer: You can run a PCI test against your DecoNetwork store using a free online PCI compliance test tool. Search "free PCI compliance test tool" in your browser to find a tool.
Question: What Protocols does the DecoNetwork application support?
Answer: DecoNetwork supports JavaSrcipt Object Notation (JSON), an open standard, human-readable file format for exchanging structured data between servers and web applications.
Question: Are DecoNetwork’s security operations, policies, procedures, and standards compatible and in compliance with the ISO 27001 Security Standard?
Answer: DecoNetwork follows the practices outlined in the PCI Data Security Standard, where applicable, to keep information asses secure.
Server Hardening Processes
Question: How does DecoNetwork secure its servers?
Answer: We do a number of things to protect your data against the most sophisticated cyber attacks. The following is a subset of our server security practices:
- DDoS Protection: We employ a third-party and DDoS protection and migration service (DOSarrest) to protect against DDoS (Distributed Denial of Service) attacks. All traffic is routed through the DOSarrest network.
- SSH Key Authentication: SSH Keys are used to secure the DecoNetwork server against unauthorized access. SSH Keys provide strong authentication for system administrators and secure encrypted data communications over the Internet.
- Secured Data Centers: DecoNetwork's servers are located in highly secure, third-party data centers with multiple layers of security controls to protect against unauthorized access and environmental threats.
- PCI Vulnerability Scanning: We use standard PCI scanning to identify security vulnerabilities such as SQL injection and cross-site scripting (XSS) mistakes. Standard development practices are followed to prevent them.
- Sandbox Security: We use docker containers to isolate the application in a sandbox environment to detect security threats and keep vulnerabilities from spreading.
- Two-Way Firewall: We have configured firewall rules to monitor both inbound and outbound connections for unwanted traffic.
Question: How does DecoNetwork monitor for threats?
Answer: DecoNetwork employs a number of tools to monitor server activity for malicious threats and intrusion attempts. We run OSSEC, a host-based intrusion detection system (HIDS), and Zabbix, a monitoring solution, to be notified of potential security and system issues. We also subscribe to vulnerability RSS feeds (www.cvedetails.com) to be notified of any known exploits for all software we are running.
Application Level Security
Question: Is the DecoNetwork application available as a public cloud, private cloud or on-premise install?
Answer: The DecoNetwork application is a public cloud service.
Question: How is my password secured?
Answer: DecoNetwork account passwords are securely stored using one-way salted hash encryption. This means that passwords are not transmitted or stored in clear text.
Question: How are user accounts managed?
Answer: User accounts to your DecoNetwork subscription are managed by you. You can add a number of users with different permissions in the back-end of your DecoNetwork account. The number of user accounts you can add depends on the plan that you subscribe to.
Question: Does DecoNetwork support SSO (single sign-on)?
Answer: DecoNetwork supports custom SSO integration in the form of an API add-on that uses the JWT (JSON Web token) single sign-on. Note, only Enterprise customers have access to this add-on. (Enable via the App store).
Question: Where are DecoNetwork's servers located?
Answer: Our servers are located in top-tier third-party data centers in the US. Our main application is hosted with ServerBeach in Texas. Some elements of our service, including the CorelDRAW vector engine, are hosted with AWS.
Question: How is physical equipment secured?
Answer: This is done by our server providers, ServerBeach and AWS.
Both ServerBeach and AWS data centers have a combination of access controls and environmental safeguards in place to secure physical equipment.
ServerBeach safeguards against unauthorized access include:
- Video surveillance monitoring of the entire data center complex
- Perimeter fence and pass-card protected gate
- Biometric (thumb scan) lock for added security
- State-of-the-art single-entry mantrap
ServerBeach safeguards against environmental factors include:
- Trusted power infrastructures that it will provide near-instantaneous protection from input power interruptions
- Advanced chilled water cooling systems to prevent overheating and reduce the possibility of power outages
- Robust fire detection and suppression systems
AWS safeguards against unauthorized access include:
- Locations in nondescript facilities
- 24/7 trained security guards
- Record keeping, video recording, storage and review of all physical access to the facilities
- Multi-factor authentication for physical access
AWS safeguards against environmental factors include:
- Automatic fire detection and suppression equipment
- Uninterruptible Power Supply (UPS) units to provide backup power in the event of an electrical failure
- Climate and temperature control to prevent overheating and reduce the possibility of power outages
Question: What information does DecoNetwork collect?
Answer: DecoNetwork collects information, including personally identifiable information (PII), for use only within the context of your DecoNetwork website. We collect customers' email, name, phone, login, and address. An IP address is stored in a login audit log, and against orders. Credit card details are not stored.
This information is collected mainly for the purpose of processing transactions. It also serves to improve customer service and improve service efficiency.
Question: How does DecoNetwork protect my information?
Answer: DecoNetwork uses Secure Sockets Layer (SSL) technology to transmit your information over a secure connection. Customers' PPI is protected by the DecoNetwork application by only allowing access by authorized users.
Question: What mechanisms exist for me to access the data that DecoNetwork collects?
Answer: You can use the Simple Object Access Protocol (SOAP) API, an application programming interface, to access order information. You can use CSV export methods to access customer details.
Question: How does DecoNetwork safeguard my data?
Answer: DecoNetwork has the following safeguards in place to ensure that your data remains secure, private and available at all times:
- Data Encryption: All data transmission to DecoNetwork are encrypted using industry-standard data encryption - PKCS #1 SHA-256 with RSA encryption protocols.
- SSL Authentication: SSL (Secure Socket Layer) certificates are used to authenticate the identity of your business and encrypt the data in transit.
- Secure Communication: All sensitive information and backend management is transmitted over the HyperText Transfer Protocol Secure (HTTPS) transport protocol.
- Regular Backups: To support data recovery, a rolling incremental/full snapshot of the database is taken multiple times a day. We are automatically notified of any issues with backups.
Question: What is DecoNetwork's procedure for restoring data should an issue occur?
Answer: The procedure depends on the issue. A full database restore of the system may be required, which involves the system being taken offline, or a partial database restore which may or may not involve downtime.
Question: Does DecoNetwork perform security logs?
Answer: Yes, DecoNetwork logs system activity in order to enable security reviews and analysis of the logs to help diagnose issues.
The Deconetwork application keeps an internal audit log on major functions. A detailed Deconetwork application request log is kept for 30 days.
Business Hub keeps an order-centric event log for all major events related to an order.
OSSEC, a host-based intrusion detection system (HIDS), is used to analyze all server system logs and notifies Deconetwork administrators when a rule is triggered.
Question: How can I access the logs?
Answer: Business Hub event and change logs are available within Business Hub. Other logs are only available to Deconetwork.
Question: How do you monitor interactions between our systems and alert us of issues?
Answer: We do not monitor interactions between your system and ours.
If your system depends on an endpoint provided by Deconetwork, it is your responsibility to monitor that endpoint. We internally monitor many systems and their metrics to proactively notify our internal technical staff before system issues occur. We monitor our system from an external perspective using PingDom, a website performance monitoring tool.