Security Policy

Effective Date: September 1, 2019

Security Overview
We provide this overview so that you can better understand the security measures we’ve put in place to protect the information that you store using our Services.  Please remember that your use of our Services is at all times subject to the Terms of Use.  Any terms we use in this Security Policy without defining them have the definitions given to them in the Terms of Use

We reserve the right to change this Security Policy from time to time.  Your access and use of the Services is subject to the Security Policy in effect at the time of such access and/or use.  If we make any material changes to our Security Policy, we will notify you by placing a notice on www.docnetwork.org, by sending you an email, and/or by some other means.  If you use the Services after any changes to the Security Policy have been posted, that means you agree to all of the changes.  

Infrastructure
DocNetwork is hosted in a state-of-the-art, highly scalable cloud computing platform with high availability and dependability. Our infrastructure provider has been designed and managed in alignment with regulations, standards and best-practices including:

  • CSA (Cloud Security Alliance)
  • ISO 9001 (Global Quality Standard)
  • ISO 27001 (Security Management Controls)
  • ISO 27017 (Cloud Specific Controls)
  • ISO 27018 (Personal Data Protection)
  • SOC 1 (Security, Availability, & Confidentiality Report 
  • SOC 2 (Security, Availability, & Confidentiality)
  • SOC 3 (General Controls)
  • HIPAA (Health Insurance Portability and Accountability Act)
  • FERPA (Family Educational Rights and Privacy Act)

These certifications indicate that their processes are compliant with very strict criteria for data security and privacy.

DocNetwork also utilizes a Content Delivery Network to help protect against common malicious attacks, such as Distributed Denial of Service (DDoS) attacks, Man in the Middle (MITM) attacks, and packet sniffing. 

Physical Security
Our infrastructure provider uses data centers that are housed in nondescript facilities, and critical locations have extensive setback and military grade perimeter control berms as well as other natural boundary protection. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication no fewer than three times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff. Our infrastructure provider only provides data center access and information to employees who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of our infrastructure provided. All physical and electronic access to data centers by infrastructure employees is logged and audited routinely.

Security Assessments and Compliance
We conduct automated scans of our non-production and production environments, looking for missing patches and vulnerabilities on a regular basis. We do similar tests on our web applications, including penetration testing exercises and code scanning. We also implement anti-virus, anti-malware, and firewall protection throughout our infrastructure and on all of our devices.  

DocNetwork is a PCI Level 3 merchant and must maintain compliance with the Payment Card Industry Data Security Standard (PCI DSS).

Access
All data storage services require user authentication to perform a particular action. Role-based access control is implemented which follows the principle of least privilege, and designed to ensure that a specific user can only take actions authorized for its role.

Encryption
All data stored is encrypted at rest with AES 256 bit encryption, which is the industry gold standard for encrypting data. Data is encrypted using a key stored in a key management service through our infrastructure provider. Encryption keys are rotated on a regular schedule.

Transfers
Your data is sent between your web browser and our servers over a secure channel using 256-bit SSL (Secure Sockets Layer) encryption, the standard for secure internet network connections.

Backups
All data is backed up continuously and with periodic snapshots. Every backup is encrypted. Redundant backups occur in multiple locations to prevent the remote possibility of data loss.

Logging
System logs are standardized across services and log data hosted on our servers is also encrypted. Logs are kept for debugging purposes and maintained with the same security policies as customer data. 

Procedures in the Event of a Security Breach
While the likelihood of a security breach is low, we follow standardized procedures to contain, classify, and report a security breach in the event that it occurs.  

  1. Containment
    The first priority after a security breach is discovered is to contain the breach and notify supervisory personnel as quickly as possible. For any category of breach, the data must be secured, and the reasonable integrity, security, and confidentiality of the data or data system must be restored.”
  2. Classification
    The next step is to determine the exact nature of the breach in terms of its extent and seriousness.
  3. Reporting
    As soon as a breach has been identified, the employee who discovered it must take immediate steps to report the breach to his or her supervisor. The supervisor must take immediate action to determine the extent and category of the breach and to take such further action as is necessary to contain the breach. In all cases of a breach, all parties involved must be notified as soon as practicable. The supervisor must document the breach, noting the category involved, the scope of the breach, steps taken to contain the breach, and the names or categories of persons whose personal information was, or may have been, acquired by an unauthorized person.
  4. Notification
    DocNetwork will notify affected users without unreasonable delay. Notification shall be clear and conspicuous and include a description of the incident in general terms, the type of information that was subject to the unauthorized access and acquisition, and the actions taken to protect the personal information from further unauthorized access. Notification will be provided by email.

Privacy
A copy of our full Privacy Policy can be found at www.docnetwork.org/privacy.

We guard your privacy to the best of our ability and work hard to protect your information from unauthorized access, and we employ a number of physical and electronic security measures to protect user information from unauthorized access.

DocNetwork employees are prohibited from viewing the content of files you store in your DocNetwork account and are only permitted to view file metadata (e.g., file names and locations); however, like most online services, we have a small number of employees who must be able to access user data. DocNetwork does a thorough background check on all of its employees and only employees that need access to your information (including your Personal Information) in order to perform their jobs are allowed such access. All DocNetwork employees are informed about their responsibility to protect your privacy, and we give them clear guidelines for adhering to our own business ethics standards and confidentiality policies. Any employees who violate our privacy and/or security policies will be subject to disciplinary action, and if the violation warrants, they will be terminated and may be charged with civil and or criminal prosecution.

Compliance with Laws and Law Enforcement
As set forth in our Privacy Policy, and in compliance with applicable laws, DocNetwork cooperates with law enforcement when it receives valid legal process.

I think I’ve found a security exploit. Where do I report security concerns?
We take a number of measures to ensure that the data you store on DocNetwork is safe and secure, but we recognize that no system can guarantee data security with 100% certainty. For that reason, we will continue to innovate to make sure that our security measures are state of the art, and we will investigate any and all reported security issues concerning our Services. For a direct line to our security experts, report security issues to security@docnetwork.org.