Last Updated: August 2024
At Dext, we are firm in our commitment to safeguarding the confidentiality, integrity, and availability of our information systems and customer data. Our certifications in ISO/IEC 27001:2022 and ISO 9001:2015 reflect our dedication to upholding the highest standards in information security and quality management, ensuring that we consistently deliver secure and reliable software and services
Explore our Trust Centre for detailed information on our security practices and certifications.
At Dext, we host our data with Amazon Web Services (AWS), whose data centres are certified for ISO 27001, PCI DSS Service Provider Level 1, and SOC 1 and 2 compliance. AWS ensures the security of its facilities through comprehensive measures such as backup power, fire detection and suppression systems, secure device destruction, and layered physical security controls, including vetted security guards, fencing, video surveillance, and intrusion detection technologies. You can learn more about AWS Compliance here and AWS Physical Security here.
Our in-house security and infrastructure team is dedicated to promptly responding to security alerts and events. We conduct annual third-party penetration tests on our application and supporting infrastructure, with findings tracked and remediated as necessary. Additionally, we leverage AWS's threat detection services for continuous monitoring of malicious or unauthorised activity. Regular internal vulnerability scans are performed on our infrastructure and applications, ensuring that any identified issues are tracked until resolved.
To safeguard against abuse and Denial of Service (DoS) attacks, we implement a multi-layered defence strategy leveraging native AWS tools alongside application-specific mitigation techniques. This approach includes concurrency limiting, which manages the number of active requests at any given time, and rate limiting, which controls the frequency of requests over a defined period.
Access to our systems is tightly controlled, adhering to the principle of least privilege. We perform frequent internal audits and enforce technical controls to ensure compliance, with all access to production systems requiring either Single Sign-On (SSO) or two-factor authentication (2FA).
In Transit: Communication with Dext is encrypted using TLS 1.2 or higher over public networks. We continuously stay updated on and implement the latest best practices in cipher adoption and TLS configuration.
At Rest: All Dext data is encrypted at rest using industry-standard AES-256 encryption, applied at the asset or object level.
Dext’s services are hosted on public cloud infrastructure across multiple availability zones to ensure resilience and scalability. Both point-in-time as well as snapshot backups are collected and also copied to another region for added resiliency. All backups are automatically tested for restorability. For real-time system status, visit our Status Page.
Our Disaster Recovery plan, designed for rapid response to significant regional outages, enables us to deploy our application to a new hosting region swiftly. This plan is regularly tested and updated to ensure continuous service availability.
Dext ensures robust application security through rigorous quality assurance and strict environment segregation. Our QA team, supported by our infrastructure and security team, thoroughly tests the code base to identify and remediate vulnerabilities. We enforce complete separation of testing, staging, and production environments, ensuring that no customer data is used in non-production environments. Regular training and security resources are provided to the QA team to maintain the highest security standards throughout the development process.
All code changes undergo thorough testing through our Continuous Integration software and are first deployed in a staging environment before going live. We also utilise automatic security vulnerability detection tools to monitor our dependencies and to perform static code security analysis, enabling us to catch potential vulnerabilities as early as possible and to quickly apply patches to keep our systems secure.
We deliver a comprehensive Security Awareness Training program to all employees within 30 days of hire, with ongoing sessions throughout the year. An annual refresher is mandatory, covering essential topics such as GDPR compliance. We provide training and resources around secure software development to ensure that our development teams are well-versed in creating secure code and mitigating potential vulnerabilities from the outset.
Dext’s Information Security Program is built around the stringent requirements of ISO/IEC 27001 and ISO 9001 standards. We maintain a comprehensive set of policies and procedures covering all aspects of information security, including risk management, data protection, and incident response. Additionally, we implement policies from other key compliance frameworks. These policies are communicated to all employees and contractors, with formal acknowledgment tracked to ensure organisation-wide compliance.
Access to Dext’s systems and networks is strictly controlled. Single Sign-On (SSO) is mandatory where supported and requires at least two-factor authentication (2FA) for all production systems. Role-based access control (RBAC) ensures employees have the minimum necessary permissions, following the principle of least privilege. Access rights are regularly audited, and access is immediately revoked upon termination or a change in job responsibilities. All access activities are logged and monitored.
Dext’s privacy policy, outlining how we handle data input into Dext, can be found here. For privacy-related questions, please contact our Data Protection Officer (DPO) at dpo@dext.com.
Dext has implemented comprehensive supplier security policies and procedures to ensure the protection of assets and data accessible by our suppliers. These policies establish strict standards for information security, privacy, and service delivery. We conduct thorough evaluations and a rigorous onboarding process for all vendors to ensure they meet our stringent security requirements. Additionally, ongoing monitoring and regular reassessment are performed to maintain these standards.
At Dext, we value the contributions of the security research community in helping us maintain a strong security posture.
Please note that we currently have no practice of paying bounties for security bugs. We believe that a responsible disclosure will benefit all parties involved.
If you discover a potential vulnerability, please notify us by emailing security@dext.com. We will do our best to acknowledge your email within 5 working days.
Please adhere to the following guidelines when reporting vulnerabilities:
While researching, we would like to ask you to refrain from the following:
Please comply with our website use policy and terms and conditions.
Thank you for helping keep Dext and our users safe! Happy bug hunting.
Automatic French Translation of this Page
We wanted our French language customers to understand information on this page more easily, in French. Dext has therefore used ChatGPT, which automates translation of the page here. The tool is not perfect, and automatic translation may miss context, the full meaning may be lost, or words may be inaccurately translated. As a result, Dext cannot guarantee the accuracy of the converted text and this should be used to give you general guidance on the contents of this page. Anyone relying on information obtained from ChatGPT's translation of this page, does so at their own risk. Dext fully disclaims and will not accept any liability for damages or losses of any kind caused by the use of the ChatGPT translated page. If there are any discrepancies or differences between the ChatGPT translation and this original page, this version is the version which prevails legally. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, or correctness of any translations made from English into any other language.