It’s All About Data Privacy

Prevention is far better, cheaper, and convenient than remediation 

DeepHow believes that customer data is the most valuable asset that has been entrusted to us. We always want our customers to feel safe while creating their workflows in our application. Therefore, security is at the heart of all DeepHow operations.

While we do our best to limit data privacy and security risks using the measures described below, no internet-based technology can ever be 100% secure, and we encourage users to employ strong passwords and to monitor accounts closely.  You may always contact us with questions or concerns at the following email address: support@deephow.com.

 

Security 

DeepHow was built from the bottom-up to meet the security and privacy needs of enterprise customers. DeepHow continually makes security and privacy of data a key priority in all areas (from design, development to production). Our developers and programmers are required to always use a formalized secure Software Development Life Cycle (SDLC) methodology framework.

DeepHow has implemented a range of measures designed to protect the Confidentiality, Integrity, and Availability of the data of our clients while providing value to the way we conduct business. Protection of the Confidentiality, Integrity, and Availability are basic principles of information security, and can be defined as:

●      Confidentiality – Using controls designed to ensure that DeepHow customer information is accessible only to those entities that are authorized to have access, many times enforced by the classic “need-to-know” principle.

●      Integrity – Striving to protect the accuracy and completeness of DeepHow customer information and the methods that are used to process and manage it.

●      Availability – Implementing measures designed to keep DeepHow information assets (information, systems, facilities, networks, and computers) accessible and usable when needed by an authorized entity.

DeepHow has recognized that our business information is a key asset and as such, we consider our ability to manage, control, and protect this asset to be a significant component of our future success.  

How do we ensure that DeepHow employees play their role in preserving the security and privacy of our data?

Our organization maintains policies designed to preserve security and privacy of our data.  Among others, we expect employees to adhere to the following principles and practices:

During employment, all staff using DeepHow information assets shall apply security measures in accordance with all relevant regulations, rules, policies, and procedures.

Steps we take to ensure employees embraces a security conscious culture are:


Roles and Responsibilities: All staff are properly briefed on their information security roles and responsibilities prior to being granted access to DeepHow information systems. Staff are provided sufficient guidelines outlining the Information security expectations for their role within DeepHow. 

Training: A quarterly cybersecurity training is conducted to sensitize staff and to maintain a security culture in DeepHow.

Agreement: Employees are required to sign an NDA before finalizing their employment. Each employee is required to sign the statement of confidentiality and privacy before they are provided system access or start working with DeepHow.

Unique Authentication: Unique user IDs are required for DeepHow employees when accessing all systems that may contain customer data. Provision is also made to support Identity Federation to allow Single-Sign On (SSO) authentication.

Privacy

DeepHow embraces and practices the culture of confidentiality. We have a Privacy Policy document to further express our devotion to securing your data.

DeepHow Corporation understands the need to keep customer-sensitive data safe and we are committed to protecting your privacy online. Our customers trust us with their sensitive data, therefore, we have an overview of how we interact, process and store the data.

All customer data is isolated, encrypted at rest and in transit. We have a SOC2 Type2 certification and several third-party vulnerability assessment tool. Our security policy shows details of our approach to security.

What data does DeepHow need access to? 

We require access to a list of your employee ID/Name, email address, and sites. Video, photo, and voice data are also collected.

Does that mean DeepHow has complete access to your staff data? 

No. We need access to basic information to create a profile for your staff, all information required by us is categorized as public by most organizations. 

What data is not collected? 

We take measures to ensure we only collect relevant data; we understand that once we receive data it becomes our security responsibility. DeepHow does not intentionally collect payment card information, date of birth, staff phone number, staff address, age, Government ID (SSN, DL number, etc.). In addition: 

●      We provide a format/structure of data you’ll share with us

●      We review the data with your designated personnel to ensure excess information is removed if present

 

Why do we collect your data? and what do we do with your data?

 We collect your data: 

●      To communicate with you and other individuals

●      To provide you with the application and the services

●      To notify you about changes to the application or the services

●      To audit and monitor the use of the application

●      To improve the quality of the application and the services

●      To manage complaints, feedback and queries

●      To carry out market research and analysis

●      To carry out satisfaction surveys and analysis

●      To provide you with information about the Services we offer (including details of any products which we believe may be of interest to you) in accordance with your preferences as indicated when you entered into any agreement with us, including any marketing consent preferences

●      To comply with any legal or regulatory obligations (including in connection with a court order)

●      To enforce or apply the agreements concerning you (including agreements between you and us)

What do we do with your data?

We process your data in our cloud environment using our proprietary Stephanie AI technique. Both processed and unprocessed versions of your data are always encrypted and kept in our secured storage facilities in the cloud. The processed data are managed by your organizational administrator by assigning them to your employees as needed. We do not sell your data to any third-party organization. If at all needed, data sharing with sub-processors or partners are carried out consistent with all applicable laws, including with respect to customer and data subject disclosures and consents.

How do we protect your data? 

All your data is isolated and encrypted at rest with AES-256 encryption. All outbound and inbound data transmissions are encrypted using TLS 1.2 or later. We provide a robust and enough capacity that ensures that access to non-privileged accounts, privileged accounts, and all local accounts shall be authenticated with passwords, personal identification numbers (PINs), tokens, biometrics, or in the case of multifactor authentication (MFA), and some combination thereof. 

Are customers' data isolated or mixed with other customers' data?

Customer data is logically separated in DeepHow. We provide token-based authentication for every authorized access in all our platforms. We do not mix customers data. 

Any additional authentication methods supported? 

DeepHow supports the following Single-Sign-On (SSO) authentication standards:

i.              OAuth 2.0: DeepHow uses OAuth to overcome the security and scalability threats of password anti-pattern, OAuth 2.0 provides a consistent, flexible identity and policy architecture.

Is the product itself secure and available? 

Our infrastructure and data are spread across GCP, MS Azure, and AWS zones to ensure our services will continue to be available even if one of those data centers fail. All of our servers are in our own virtual private cloud (VPC) with network access control that prevents unauthorized access. 

In all the stages of our SDLC, security is considered as part of the process and not an add-on. 

In addition, we have SOC 2 Type 2 audit certification and conduct regular third-party vulnerability assessment and penetration testing to identify and mitigate potential vulnerabilities. 

 How are users assigned permission? 

The product is accessed by users through browser, Windows, Android, iOS and MacOS apps using conventional username and password. They can also use Single Sign-on (SSO). Access to your instance as a client is governed by roles and access rights configured by your designated “Organization Administrator”.

How do you backup our data?
Backups (database and file) are triggered automatically daily at certain intervals without impacting the current state of the instances. All backups are stored securely using the appropriate API responsible for backups on each cloud platform. Our archive is stored on AWS on US-West-2. 

Who owns the data?
Our clients maintain full ownership of their data created or uploaded in DeepHow using any of the available platforms.

Compliance

SOC 2 Type 2

DeepHow is compliant with Service Organization Controls (SOC) 2 Type 2. Our SOC 2 Type 2 report provides assurance that DeepHow’s security program and control environments are in compliance with Trust Service Criteria developed and maintained by AICPA. The report covers the controls implemented in DeepHow which includes, access management, encryption, monitoring, vulnerability management, incident management, risk management, vendor management, human resource management and more.

DeepHow’s SOC 2 Type 2 report is available on request (under NDA) to our existing and potential customers.

Other Compliances:
In our environments, we have been able to scan and generate compliance reports based on standard controls and checklist evaluations. These compliances that our system is subjected to include:

Compliance Programs

# of Controls

% of Compliance

PCI

8 controls

100%

HIPAA

4 controls

100%

General Data Protection Regulation (GDPR) EU

3 controls

100%

SOC 2 Type II

11 controls

100%

ISO 27001

35 controls

100%

NIST CSF

34 controls

100%

NIST SP 800-53

14 controls

100%

NIST 800-171

9 controls

100%

FedRamp

4 controls

100%

ISO 27017

6 controls

100%

ISO 27018

6 controls

100%

SOC 3

5 controls

100%

California Consumer Privacy Act (CCPA)

6 controls

100%

Mitre AWS Attack Framework

13 controls

100%

FISMA

4 controls

100%

APRA 234 STANDARD

7 controls

100%

VAIT

8 controls

100%

BAIT

6 controls

100%

FERPA

3 controls

100%

COPPA

1 control

100%

HITRUST CSF

12 controls

100%

LGPD

3 controls

100%

GCP CIS Benchmarks v1.2.0

49 controls

100%

CSPM Encryption Program

7 controls

100%

 

Security_Policy_Image