How we answer your security and compliance questions
There can be security and privacy concerns when talking about data and client information. We’ve designed our products with a privacy-first mindset and have the necessary checks and measures in place to ensure you can easily comply with regulations at all times.
Are you GDPR compliant?
Yes. As a European company, Docbyte and our platform is subject to GDPR. We use infrastructure-as-a-service and platform-as-a-service solutions on Amazon Web Services (AWS). These AWS assets, together with our solutions, are designed to ensure full compliance with all GDPR regulations.
Where is my data stored?
Do you have a DPO I can address my privacy questions to?
Yes, we have two certified data protection officers. You can reach them on: firstname.lastname@example.org
How do you physically secure my information in your office?
Entry to our offices is regulated with a physical keycard system. Only designated staff can issue these cards, and they need to be activated for specific facilities in order to gain access. Docbyte personnel don’t have access to sensitive facilities unless their role and responsibilities require them to. Access is only granted in exceptional circumstances and always for a limited amount of time. This temporary access needs to be renewed regularly. Visitors are required to sign in and out. Moreover, we only store internal Docbyte data in our office facilities. Customer data is kept in cloud data centers.
How do you physically secure my data in cloud data centers?
We rely on cloud providers’ infrastructures for our cloud data centers. To secure your data, their physical access policy applies. Their policy dictates that employees are only granted access after thorough screening. Even then, access is only granted when there is a real need. After intervention, access is automatically revoked. Any new access permissions require a motivated request.
To further ensure security, access is meticulously logged and retained with name of the employee and reason for intervention. Moreover, all data centers are protected by a physical alarm system: CCTV, surveillance, intrusion detection systems, and multi-factor authentication.
Is my data encrypted?
Yes, we encrypt data in transit and at rest to ensure data confidentiality. Our technical setup complies with the following requirements:
- Data in transit is encrypted via the SSH protocol, the standard encryption for data in transit in almost all data centers and larger enterprises.
- Data at rest is encrypted using an AES-256 symmetric encryption key. Docbyte manages this key using secure key storage, compliant with FIPS140-2. Encryption keys are managed by the Docbyte System Administrators and can only be used by specific service users for encryption and decryption purposes (separation of concerns, so it is not possible for one and the same person to administer and use the encryption keys).
How do you keep track of who views and modifies my data?
Who has access to my data in the cloud?
Docbyte implements a strict role scheme to determine access to data. Users, roles, and permissions are defined in the Identity and Access Management (IAM) module of our AWS environment. We define our production services in a separate network without any direct connection to other resources within our network. Moreover, system administrators don’t necessarily have access to the data, but are only able to set the permissions. This means we have a complete separation of concerns between management tasks and data access tasks.