security protocols and companies
to protect all user data
1Dossier takes data integrity and security very seriously.We store and process your data and that of your customers with care and help you be compliant so that you can continue to build trust while enhancing customer experiences. We help you assure your customers that their payment information and billing data are and will always be secure. The promise of security stems from the very system that handles all payment, billing, subscription, and customer data and is an essential part of our product, processes, and team culture.
DATA HANDLING & COMPLIANCE
1Dossier provides industry standard security throughout the documents & Information lifecycle. Whatever the application there are always concerns over security and privacy of information accessible via the public internet. Ultimately nothing is hacker-proof, however, there are steps that can be taken to minimize the risks, and limit any consequences. 1Dossier is architected as a ‘multitier’ application. Our solution incorporates countermeasures recommended as best practice by OWASP. As well as protecting against external threats we also protect against internal risks, using encryption of key configuration settings and obfuscation of application code.
SOC 1 and SOC 2
1Dossier billing, invoicing and subscription management, is SOC1 and SOC2 compliant, so you can gain assurance that we value and protect the interests of your organization and the privacy of your customers. The SOC attestation ensures that SaaS service providers securely manage your data to protect the interests of your organization and the privacy of its clients. SOC for Service Organizations are internal control reports on the services provided by a service organization providing valuable information that users need to assess and address the risks associated with an outsourced service.
GDPR
The General Data Protection Regulation (GDPR) is a European privacy law which became enforceable on May 25, 2018. The GDPR replaces the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state. The core of 1Dossier internal operations underpins protecting the personal data of our customers. We only collect and store information that is necessary to offer our service, and we do this with the consent of our customers.
SCA & PSD2
1Dossier is compliant to Strong Customer Authentication (SCA) is payment security regulation brought forth by the European Banking Authority (EBA) , to ensure that Multi-factor authentication is performed for card payments. EBA has made it mandatory to implement SCA as a part of the Revised Payment Services Directive (PSD2) initiative. The amendment is effective from September 14, 2019 and applies to all online transactions where the payment processor and the card Issuing Bank are from the European Economic Area (EEA) .
ISO 27001 CERTIFICATION
1Dossier subscription platform is ISO 27001 certified (formally known as ISO/IEC 27001:2013) is a specification for an information security management system (ISMS). An ISMS is a framework of policies and procedures that includes all legal, physical and technical controls involved in an organisation’s information risk management processes with the aim of keeping information secure. With ISO’s robust information security management system (ISMS) in place, you gain the additional reassurance that a full spectrum of security best practices are implemented across the organization.
PAYMENTS PROCESSING & SECURITY
GoCardless Payment
GoCardless is a leading provider of automatic debit services, processing more than £ 5 billion in payments per year for more than 30,000 organizations in the UK and Europe, including Sage, TripAdvisor and Les Mills. GoCardless is ISO 27001 accredited (ISO 27001 is a widely recognized and internationally recognized standard for information security). It is also authorized by the UK Financial Conduct Authority to provide payment services as an authorized payment institution in the European Union.
Stripe Payment
Stripe is the best software platform for online payment and manages billions of dollars each year for forward-thinking companies around the world. With Stripe, we accept 100 currencies so we can receive payments with Visa, MasterCard or American Express card. All card numbers are encrypted at rest with AES-256. The decryption keys are stored on separate machines.
SCA & PSD2
1Dossier is compliant to Strong Customer Authentication (SCA) is payment security regulation brought forth by the European Banking Authority (EBA) , to ensure that Multi-factor authentication is performed for card payments. EBA has made it mandatory to implement SCA as a part of the Revised Payment Services Directive (PSD2) initiative. The amendment is effective from September 14, 2019 and applies to all online transactions where the payment processor and the card Issuing Bank are from the European Economic Area (EEA) .
Payment system
For added security 1Dossier DO NOT STORE or process credit card details. The credit card or direct debit are processed in the most secure way on behalf of 1Dossier by one of 1Dossier suppliers, GoCardless (bank direct debit), Stripe (Mastercard, Visa or American Express) or PayPal. These suppliers are certified to PCI-DSS, a recognized international security standard and operate in accordance with the provisions of the European Monetary and Financial Code.
INFRASTRUCTURE & ENCRYPTION
1Dossier uses Amazon’s AWS platform and infrastructure. 1Dossier employees do not have any physical access to our production environment. Cloud security is the highest priority at AWS. As an AWS customer, we are benefitted from a data center and network architecture built to meet the requirements of the most security-sensitive organizations. “Amazon has many years of experience in designing, constructing, and operating large-scale data centers. This experience has been applied to the AWS platform and infrastructure. AWS data centers are housed in nondescript facilities, with military grade perimeter control berms. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in. They are also continually escorted by authorized staff.” In addition to physical security, being on AWS platform also provides us significant protection against traditional network security issues on the infrastructure including: Distributed Denial Of Service (DDoS) Attacks, Man In the Middle (MITM) Attacks, Port Scanning, Packet sniffing by other tenants
The document files held in the system are themselves encrypted, so in the extremely unlikely event of the data center security being breached, and access to the document files obtained, their content remains secure. Even trusted data center staff will not have access to document content. All user credentials are hashed with a one way hash that even we cannot decode.
Data transfer
During the transfer of customer data, the data is encrypted in transit between the computer, phone or tablet and 1Dossier servers with Sectigo which provides 256-bit encryption. Before issuing any EV certificate, the CA must perform a specific, audited authentication process using techniques that are proven effective over more than ten years of industry-wide use. The company name in the branded address bar indicates that the identity of this site operator is highly trusted information and reveals the specific identity of the company operating the site.
Encryption of personal data
All the data is encrypted on the server. Only the Agents receiving the access rights from a tenant can see the data.
Server-side encryption protects data at rest. 1Dossier encrypts each object with a unique key. As additional protection, he encrypts the key itself with a key that it rotates regularly. Our server-side encryption uses one of the most powerful block encryption available, the advanced 256-bit encryption standard (AES-256).
AWS Enterprise Hosting
Enterprise websites need to dynamically scale resources and be highly available to support the most demanding and highly trafficked websites. 1Dossier websites / apps use multiple AWS services and span multiple data centers (called Availability Zones). 1Dossier is built on AWS to provide high levels of availability, scalability, and performance.
Ethereum Blockchain
1Dossier uses an Etherum private blockchain. Hence, nodes participating in transactions are authenticated and authorized machines within the organizational network. Ethereum is a programmable blockchain – it allows 1Dossier to create operations, coded as Smart Contracts, deployed and executed by the Ethereum Virtual Machine (EVM) running inside every node. A blockchain is a distributed computing architecture where every node runs in a peer-to-peer topology, where each node executes and records the same transactions. These transactions are grouped into blocks. Individual user interactions (transactions) with the ledger are append-only, immutable, and secured by strong cryptography.