The privacy and security of your data is our top priority. Keep your content safe with the security measures that we’ve put in place.
Q: How/where is your application hosted?
A: We utilize Amazon Web Services for hosting. Their data centers are located throughout the United States (and across the globe) and they adhere to the tightest security standards in the hosting industry.
Q: Do you perform regular backups?
A: We perform regular backups of our filesystem every hour. Backups are stored on AWS S3 and are encrypted to prevent unauthorized access to data in the event that backup files are lost or stolen.
Q: Which application architecture, platforms and systems are used to collect, store, and utilize customer data (application platform, application servers in use, OS and hardware platforms, database platform and design, etc)?
- Application Platform: Python & Django 1.8.x
- Application Server: Ubuntu Server 14.04
- Web Server: Ngnix
- Database Platform: PostgreSQL 9.5
Q: How often/regularly are these systems patched?
A: DivvyHQ applies Zero Day patches on the day a patch is made available. Routinely, and when appropriate, all software on our servers are updated to the latest stable versions.
Q: How is the DivvyHQ application implemented and are connections between various components or tiers secure?
A: DivvyHQ’s application architecture has been designed and built with industry standard security recommendations and all network traffic between various components is encrypted. If you or your security team requires more details, please submit a technical inquiry via our contact page and a member of our security team will be in touch.
Q: How is customer data protected (authenticated and encrypted) in transit between the customer’s networks and DivvyHQ’s networks?
A: DivvyHQ requires SSL (https) for all interactions with the application.
Q: How are user credentials/data stored and protected?
A: User credentials are stored in our secure database and passwords are encrypted using an industry-standard, strong cryptographic hashing algorithm; specifically PBKDF2 with salt.
Q: What is DivvyHQ’s availability/uptime?
A: Excluding scheduled maintenance or downtime, DivvyHQ aims for an availability of 99.8%, which correlates to one hour of unplanned downtime per 30 calendar days.
Q: Can I use DivvyHQ from a non-US country?
A: As appropriate, DivvyHQ follows appropriate regional standards for data privacy (eg – the now defunct EU Safe Harbor); however, these regional standards are handled on a case-by-case basis, and as needs arise.
Q: Is there a role-based structure that is used to authorize access to the application?
A: Yes. Global Account Admins have access to all data within an account and can configure granular access permissions on a per calendar (hierarchical) basis to users. User roles are associated with Calendars and include: Parent Calendar Admin (Enterprise-only role), Editor, Contributor, Internal Reviewer, and External Reviewer. We also have a Reviewer Only role which allows for read-only access to your Divvy account. Roles can be customized for an individual user per calendar. For instance, a user may be an Editor on Calendar A and have no access or any other role on Calendar B.
Q: How are user authorizations/roles configured and maintained?
A: Account admins configure and maintain each user’s roles throughout the application. DivvyHQ support personnel may assist if needed to help customers choose the ideal role(s) for each user.
Q: What intrusion detection and/or prevention (IDS/IPS) capabilities do you have and how are they monitored?
A: DivvyHQ utilizes Cloudflare, a security protection and monitoring service that constantly protects our application from a wide range of online threats, including: cross-site scripting, SQL injection and denial of service (DOS) attacks. CloudFlare’s technology automatically performs browser integrity checks for all requests to our website, detects new attacks (and denies them) and alerts our staff when an attack has occurred.
Q: Have you completed any third-party penetration testing?
A: Yes, through Provensec in July 2017.
A: DivvyHQ utilizes Stripe as our payment gateway and all financial data is stored within their platform. No financial information is stored within the Divvy application or database. Stripe has been audited by a PCI-certified auditor, and is certified to PCI Service Provider Level 1. This is the most stringent level of certification available.
Q: What sort of security and training policies do you have in place for DivvyHQ employees?
A: Every DivvyHQ employee has completed a thorough background/employment screening process, signed employee confidentiality agreements and received extensive training to ensure they know exactly what and what not to do.