Last Updated: October 2021
At Dext, we are committed to protecting the confidentiality, integrity and data availability of our information systems and our customers’ data. We are constantly improving our security controls and analysing their effectiveness to give you confidence in our solution.
Here we provide an overview of some of the security controls in place to protect your data.
You can reach our security team at firstname.lastname@example.org
Data Center Physical Security
Dext uses Amazon AWS for data center hosting. AWS data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant. Learn more about Compliance at AWS.
AWS employs robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, secure device destruction amongst others. Learn more about Data Center Controls at AWS.
AWS implements layered physical security controls to ensure on-site security including vetted security guards, fencing, video monitoring, intrusion detection technology and more. Learn more about AWS Physical Security.
In-house Security Team
Dext has a dedicated and passionate security and operations team to respond to security alerts and events.
Third-Party Penetration Tests
Third party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation. Reports are available on request with an appropriate NDA in place.
Dext leverages threat detection services within AWS to continuously monitor for malicious and unauthorised activity.
We perform regular internal scans for vulnerability scanning of infrastructure and applications. Where issues are identified these are tracked until remediation.
Dext uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize Cloudflare’s sophisticated CDN with built in DDoS protection as well as native AWS tools and application specific mitigation techniques.
Access is limited by following the least privilege model required for our staff to carry out their jobs. This is subject to frequent internal audit and technical enforcement and monitoring to ensure compliance. 2FA is required for all production systems.
Communication with Dext is encrypted with TLS 1.2 or higher over public networks. We monitor community testing & research in this area and continue to adopt best practices in terms of cipher adoption and TLS configuration.
Dext data is encrypted at rest with industry standard AES-256 encryption. By default we encrypt at the asset or object level.
Availability & Continuity
Dext is deployed on public cloud infrastructure. Services are deployed to multiple availability zones for availability and are configured to scale dynamically in response to measured and expected load. Simulated load tests and API response time tests are incorporated into our release and testing cycle.
Dext maintains a publicly available status page which includes details on system availability categorised into product areas, scheduled maintenance windows, service incident history and incident details.
In the event of a major region outage, Dext has the ability to deploy our application to a new hosting region. Our Disaster Recovery plan ensures availability of services and ease of recovery in the event of such a disaster. This plan is regularly tested and reviewed for areas of improvement or automation.
DR deployment is managed by the same configuration management and release processes as our production environment ensuring that all security configurations and controls are applied appropriately.
Dext’s Quality Assurance team reviews and tests the code base. The security team has resources to investigate and recommend remediation of security vulnerabilities within code. Regular syncs, training and security resources are provided to the QA team.
Testing, staging and production environments are separated from one another. No customer data is used in any non-production environment.
Dext runs a Security Champions program with involvement and contributions from each of the development teams.
Dext has a robust Security Awareness Training program which is delivered within 30 days of new hires and annually for all employees. In addition, we roll out quarterly focused training to key departments including Secure Coding, Data Legislation and Compliance obligations.
Information Security Program
Dext has a comprehensive set of information security policies covering a range of topics. These are disseminated to all employees and contractors and acknowledgement tracked on key policies such as Acceptable Use and Information Security Policy.
Access to systems and network devices is based upon a documented, approved request process. Logical access to platform servers and management systems requires two-factor authentication. A periodic verification is performed to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is further restricted by system permissions using a least privilege methodology and all permissions require a documented business need. Exceptions identified during the verification process are remediated. Business need revalidation is performed on a quarterly basis to determine that access is commensurate with the users job function. Exceptions identified during the revalidation process are remediated. User access is revoked upon termination of employment or change of job role.
Third Party Security
Dext understands the risks associated with improper vendor management. We evaluate and subject to a supplier onboarding process and steps on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.
At Dext, we consider the security of our systems a top priority and Dext believes that working with a skilled security research community helps improve our security posture.
Please note that we currently have no practice of paying bounties for security bugs. We believe that a responsible disclosure will benefit all parties involved.
If you believe you have discovered a potential vulnerability, please let us know by emailing email@example.com.
Encrypt your email using our PGP key (howto) to prevent this critical information from falling into wrong hands. We will acknowledge your email within 5 days.
Please do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting/modifying other people's data. For testing, only use the accounts you own yourself, or for which you have explicit permissions from the account holder.
Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or third party and include sufficient information to reproduce the vulnerability.
We recommend you to include the following information when you report a potential security vulnerability: Summary, Severity, URL, Proof-of-Concept steps and evidence such as screenshots or video.
While researching, we would like to ask you to refrain from the following:
Denial of Service (DOS) and Distributed Denial of Service (DDOS)
Social Engineering or phishing of Dext employees or contractors
Any attack against Dext's physical property or data centers
Scanning Dext infrastructure or products using automated vulnerability scanners.
Thank you for helping keep Dext and our users safe! Happy bug hunting.