Information security

Last Updated: August 2024

At Dext, we are firm in our commitment to safeguarding the confidentiality, integrity, and availability of our information systems and customer data. Our certifications in ISO/IEC 27001:2022 and ISO 9001:2015 reflect our dedication to upholding the highest standards in information security and quality management, ensuring that we consistently deliver secure and reliable software and services

Explore our Trust Centre for detailed information on our security practices and certifications. 

Cloud Security

At Dext, we host our data with Amazon Web Services (AWS), whose data centres are certified for ISO 27001, PCI DSS Service Provider Level 1, and SOC 1 and 2 compliance. AWS ensures the security of its facilities through comprehensive measures such as backup power, fire detection and suppression systems, secure device destruction, and layered physical security controls, including vetted security guards, fencing, video surveillance, and intrusion detection technologies. You can learn more about AWS Compliance here and AWS Physical Security here.

Our in-house security and infrastructure team is dedicated to promptly responding to security alerts and events. We conduct annual third-party penetration tests on our application and supporting infrastructure, with findings tracked and remediated as necessary. Additionally, we leverage AWS's threat detection services for continuous monitoring of malicious or unauthorised activity. Regular internal vulnerability scans are performed on our infrastructure and applications, ensuring that any identified issues are tracked until resolved.

To safeguard against abuse and Denial of Service (DoS) attacks, we implement a multi-layered defence strategy leveraging native AWS tools alongside application-specific mitigation techniques. This approach includes concurrency limiting, which manages the number of active requests at any given time, and rate limiting, which controls the frequency of requests over a defined period.

Access to our systems is tightly controlled, adhering to the principle of least privilege. We perform frequent internal audits and enforce technical controls to ensure compliance, with all access to production systems requiring either Single Sign-On (SSO) or two-factor authentication (2FA).

Encryption

In Transit: Communication with Dext is encrypted using TLS 1.2 or higher over public networks. We continuously stay updated on and implement the latest best practices in cipher adoption and TLS configuration.

At Rest: All Dext data is encrypted at rest using industry-standard AES-256 encryption, applied at the asset or object level.

Availability & Continuity

Dext’s services are hosted on public cloud infrastructure across multiple availability zones to ensure resilience and scalability. Both point-in-time as well as snapshot backups are collected and also copied to another region for added resiliency. All backups are automatically tested for restorability. For real-time system status, visit our Status Page.

Our Disaster Recovery plan, designed for rapid response to significant regional outages, enables us to deploy our application to a new hosting region swiftly. This plan is regularly tested and updated to ensure continuous service availability.

Application Security

Dext ensures robust application security through rigorous quality assurance and strict environment segregation. Our QA team, supported by our infrastructure and security team, thoroughly tests the code base to identify and remediate vulnerabilities. We enforce complete separation of testing, staging, and production environments, ensuring that no customer data is used in non-production environments. Regular training and security resources are provided to the QA team to maintain the highest security standards throughout the development process.

All code changes undergo thorough testing through our Continuous Integration software and are first deployed in a staging environment before going live. We also utilise automatic security vulnerability detection tools to monitor our dependencies and to perform static code security analysis, enabling us to catch potential vulnerabilities as early as possible and to quickly apply patches to keep our systems secure.

Personnel Security

Security Awareness

We deliver a comprehensive Security Awareness Training program to all employees within 30 days of hire, with ongoing sessions throughout the year. An annual refresher is mandatory, covering essential topics such as GDPR compliance. We provide training and resources around secure software development to ensure that our development teams are well-versed in creating secure code and mitigating potential vulnerabilities from the outset.

Information Security Program

Dext’s Information Security Program is built around the stringent requirements of ISO/IEC 27001 and ISO 9001 standards. We maintain a comprehensive set of policies and procedures covering all aspects of information security, including risk management, data protection, and incident response. Additionally, we implement policies from other key compliance frameworks. These policies are communicated to all employees and contractors, with formal acknowledgment tracked to ensure organisation-wide compliance.

Access Controls

Access to Dext’s systems and networks is strictly controlled. Single Sign-On (SSO) is mandatory where supported and requires at least two-factor authentication (2FA) for all production systems. Role-based access control (RBAC) ensures employees have the minimum necessary permissions, following the principle of least privilege. Access rights are regularly audited, and access is immediately revoked upon termination or a change in job responsibilities. All access activities are logged and monitored.

Data Privacy

Dext’s privacy policy, outlining how we handle data input into Dext, can be found here. For privacy-related questions, please contact our Data Protection Officer (DPO) at dpo@dext.com.

Supplier Security Management

Dext has implemented comprehensive supplier security policies and procedures to ensure the protection of assets and data accessible by our suppliers. These policies establish strict standards for information security, privacy, and service delivery. We conduct thorough evaluations and a rigorous onboarding process for all vendors to ensure they meet our stringent security requirements. Additionally, ongoing monitoring and regular reassessment are performed to maintain these standards.

Responsible Disclosure

At Dext, we value the contributions of the security research community in helping us maintain a strong security posture.

Disclosure Policy:

Please note that we currently have no practice of paying bounties for security bugs. We believe that a responsible disclosure will benefit all parties involved.

If you discover a potential vulnerability, please notify us by emailing security@dext.com. We will do our best to acknowledge your email within 5 working days.

Please adhere to the following guidelines when reporting vulnerabilities:

• Do not exploit the vulnerability (e.g, by downloading more data than necessary to demonstrate the vulnerability or deleting/modifying customer’s data). 
• Use your own accounts for testing, or those for which you have explicit permission.
• Allow us reasonable time to resolve the issue before disclosing it to the public or a third party and include sufficient information to reproduce the vulnerability.
• We recommend including the following information when you report a potential security vulnerability: Summary, Severity, URL, Proof-of-Concept steps and evidence such as screenshots or video.

Exclusions:

While researching, we would like to ask you to refrain from the following:

• Denial of Service (DOS) and Distributed Denial of Service (DDOS).
• Spamming.
• Social Engineering or phishing of Dext employees or contractors.
• Any attack against Dext's physical property or data centres.
• Scanning Dext infrastructure or products using automated vulnerability scanners.

Please comply with our website use policy and terms and conditions.

Thank you for helping keep Dext and our users safe! Happy bug hunting.