DeepHow Security Overview

It’s All About Data Privacy

Prevention is far better, cheaper, and more convenient than remediation

DeepHow believes that customer data is the most valuable asset that has been entrusted to us. We always want our customers to feel safe while creating their workflows in our application. Therefore, security is at the heart of all DeepHow operations.

While we do our best to limit data privacy and security risks using the measures described below, no internet-based technology can ever be 100% secure, and we encourage users to employ strong passwords and monitor accounts closely.  You may always contact us with questions or concerns at the following email address: [email protected].

Security

DeepHow was built from the bottom up to meet the security and privacy needs of enterprise customers. DeepHow continually makes the security and privacy of data a key priority in all areas (from design, and development to production). Our developers and programmers are required to always use a formalized secure Software Development Life Cycle (SDLC) methodology framework.

DeepHow has implemented a range of measures designed to protect the Confidentiality, Integrity, and Availability of the data of our clients while providing value to the way we conduct business. Protection of Confidentiality, Integrity, and Availability are basic principles of information security and can be defined as:

●   Confidentiality – Using controls designed to ensure that DeepHow customer information is accessible only to those entities that are authorized to have access, many times enforced by the classic “need-to-know” principle.

●   Integrity – Striving to protect the accuracy and completeness of DeepHow customer information and the methods that are used to process and manage it.

●   Availability – Implementing measures designed to keep DeepHow information assets (information, systems, facilities, networks, and computers) accessible and usable when needed by an authorized entity.

DeepHow has recognized that our business information is a key asset and as such, we consider our ability to manage, control, and protect this asset to be a significant component of our future success.  

How do we ensure that DeepHow employees play their role in preserving the security and privacy of our data?

Our organization maintains policies designed to preserve the security and privacy of our data.  Among others, we expect employees to adhere to the following principles and practices:

During employment, all staff using DeepHow information assets shall apply security measures following all relevant regulations, rules, policies, and procedures.

Steps we take to ensure employees embrace a security-conscious culture are:

Roles and Responsibilities: All staff members are properly briefed on their information security roles and responsibilities before being granted access to DeepHow information systems. Staff are provided sufficient guidelines outlining the Information security expectations for their role within DeepHow.

Training: A quarterly cybersecurity training is conducted to sensitize staff and to maintain a security culture in DeepHow.

Agreement: Employees are required to sign an NDA before finalizing their employment. Each employee is required to sign the statement of confidentiality and privacy before they are provided system access or start working with DeepHow.

Unique Authentication: Unique user IDs are required for DeepHow employees when accessing all systems that may contain customer data. Provision is also made to support the Identity Federation to allow Single-Sign-On (SSO) authentication.

Privacy

DeepHow embraces and practices the culture of confidentiality. We have a Privacy Policy document to further express our devotion to securing your data.

DeepHow Corporation understands the need to keep customer-sensitive data safe and we are committed to protecting your privacy online. Our customers trust us with their sensitive data, therefore, we have an overview of how we interact, process, and store the data.

All customer data is isolated, and encrypted at rest and in transit. We have a SOC2 Type2 certification and several third-party vulnerability assessment tools. Our security policy shows details of our approach to security.

What data does DeepHow need access to?

We require access to a list of your employee ID/Name, email address, and worksite. Video, photo, and voice data are also collected.

Does that mean DeepHow has complete access to your staff data?

No. We need access to basic information to create a profile for your staff, all information required by us is categorized as public by most organizations.

What data is not collected?

We take measures to ensure we only collect relevant data; we understand that once we receive data it becomes our security responsibility. DeepHow does not intentionally collect payment card information, date of birth, staff phone number, staff address, age, or Government ID (SSN, DL number, etc.). In addition:

●   We provide a format/structure of data you’ll share with us
●   We review the data with your designated personnel to ensure excess information is removed if present

Why do we collect your data? and what do we do with your data?

We collect your data:

●   To communicate with you and other individuals
●   To provide you with the application and the services
●   To notify you about changes to the application or the services
●   To audit and monitor the use of the application
●   To improve the quality of the application and the services
●   To manage complaints, feedback, and queries
●   To carry out market research and analysis
●   To carry out satisfaction surveys and analysis
●   To provide you with information about the Services we offer (including details of any products that we believe may be of interest to you) following your preferences as indicated when you entered into any agreement with us, including any marketing consent preferences
●   To comply with any legal or regulatory obligations (including in connection with a court order)
●   To enforce or apply the agreements concerning you (including agreements between you and us)

What do we do with your data?

We process your data in our cloud environment using our proprietary Stephanie AI technique. Both processed and unprocessed versions of your data are always encrypted and kept in our secured storage facilities in the cloud. The processed data are managed by your organizational administrator by assigning them to your employees as needed. We do not sell your data to any third-party organization. If at all needed, data sharing with sub-processors or partners is carried out consistent with all applicable laws, including for customer and data subject disclosures and consents.

How do we protect your data?

All your data is isolated and encrypted at rest with AES-256 encryption. All outbound and inbound data transmissions are encrypted using TLS 1.2 or later. We provide a robust and enough capacity that ensures that access to non-privileged accounts, privileged accounts, and all local accounts shall be authenticated with passwords, personal identification numbers (PINs), tokens, biometrics, or in the case of multifactor authentication (MFA), and some combination thereof.

Are customers' data isolated or mixed with other customers' data?

Customer data is logically separated in DeepHow. We provide token-based authentication for every authorized access in all our platforms. We do not mix customers' data.

Are any additional authentication methods supported?

DeepHow supports the following Single-Sign-On (SSO) authentication standards:

  •   OAuth 2.0: DeepHow uses OAuth to overcome the security and scalability threats of password anti-pattern, OAuth 2.0 provides a consistent, flexible identity and policy architecture.

Is the product itself secure and available?

Our infrastructure and data are spread across GCP, MS Azure, and AWS zones to ensure our services will continue to be available even if one of those data centers fails. All of our servers are in our virtual private cloud (VPC) with network access control that prevents unauthorized access.

In all the stages of our SDLC, security is considered as part of the process and not an add-on.

In addition, we have SOC 2 Type 2 audit certification and conduct regular third-party vulnerability assessment and penetration testing to identify and mitigate potential vulnerabilities.

How are users assigned permission?

The product is accessed by users through browser, Windows, Android, iOS, and MacOS apps using a conventional username and password. The users can also use Single Sign-on (SSO). Access to your instance as a client is governed by roles and access rights configured by your designated “Organization Administrator”.

How do you back up our data?

Backups (database and file) are triggered automatically daily at certain intervals without impacting the current state of the instances. All backups are stored securely using the appropriate API responsible for backups on each cloud platform. Our archive is stored on AWS on US-West-2.

Who owns the data?

Our clients maintain full ownership of their data created or uploaded in DeepHow.

Compliance

SOC 2 Type 2

DeepHow is compliant with Service Organization Controls (SOC) 2 Type 2. Our SOC 2 Type 2 report assures that DeepHow’s security program and control environments comply with Trust Service Criteria developed and maintained by AICPA. The report covers the controls implemented in DeepHow which include, access management, encryption, monitoring, vulnerability management, incident management, risk management, vendor management, human resource management, and more.

DeepHow’s SOC 2 Type 2 report is available on request (under NDA) to our existing and potential customers.

Other Compliances:

In our environments, we have been able to scan and generate compliance reports based on standard controls and checklist evaluations. These compliances that our system is subjected to include:

Compliance Programs
# of Controls
% of Compliance
Types of Personal Information Collected
PCI
Source of the Personal Information
8 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
HIPAA
Source of the Personal Information
4 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
General Data Protection Regulation (GDPR) EU
Source of the Personal Information
3 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
SOC 2 Type II
Source of the Personal Information
11 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
ISO 27001
Source of the Personal Information
35 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
NIST CSF
Source of the Personal Information
34 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
NIST SP 800-53
Source of the Personal Information
14 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
NIST 800-171
Source of the Personal Information
9 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
FedRamp
Source of the Personal Information
4 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
ISO 27017
Source of the Personal Information
6 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
ISO 27018
Source of the Personal Information
6 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
SOC 3
Source of the Personal Information
5 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
California Consumer Privacy Act (CCPA)
Source of the Personal Information
6 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
Mitre AWS Attack Framework
Source of the Personal Information
13 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
FISMA
Source of the Personal Information
4 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
APRA 234 STANDARD
Source of the Personal Information
7 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
VAIT
Source of the Personal Information
8 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
BAIT
Source of the Personal Information
6 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
FERPA
Source of the Personal Information
3 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
COPPA
Source of the Personal Information
1 control
The Purpose for Collection and Use
100%
Types of Personal Information Collected
HITRUST CSF
Source of the Personal Information
12 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
LGPD
Source of the Personal Information
3 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
GCP CIS Benchmarks v1.2.0
Source of the Personal Information
49 controls
The Purpose for Collection and Use
100%
Types of Personal Information Collected
CSPM Encryption Program
Source of the Personal Information
7 controls
The Purpose for Collection and Use
100%