Tech Talk

Solution Architecture

Tech Stack

DocuChief (DC) Security Overview

DC’s primary security focus is to safeguard our customers’ and users’ data. This is the reason that DC has invested in the appropriate resources and controls to protect and service our customers. This investment includes the implementation of the dedicated Security Team. The Security Team is responsible for the DC’s comprehensive security and risk management program and the governance process. The security team is focused on defining new and refining existing controls, implementing and managing the DC security framework as well as providing a support structure to facilitate effective risk management. Our Chief Security Officer, who reports to the Chief Operating Officer, manages the Security Team.

Global Database

DC outsources hosting of its Global Database (containing customers’ details) to leading cloud infrastructure provider. DC leverages Amazon Web Services (AWS) for infrastructure hosting. This provides high levels of physical and network security. AWS maintains an audited security program, including SOC 2 and ISO 27001 compliance. DC does not host any production software system within its corporate offices.

Web Application Defenses

As part of its commitment to protecting customer data, DC implemented an industry recognized Web Application Firewall (WAF). The WAF automatically identifies and protects against attacks aimed at the DC. The rules used to detect and block malicious traffic are aligned to the best practice guidelines documented by the Open Web Application Security Project (OWASP) in the OWASP Top 10 and similar recommendations. Protections from Distributed Denial of Service (DDoS) attacks are also incorporated, helping to ensure that customers’ data and other parts of the DC (like Web Services) are available continuously.

Vulnerability Scanning and Penetration Testing

The DC Security team manages a multi-layered approach to vulnerability scanning, using a variety of industry-recognized tools to ensure comprehensive coverage of our technology stack. We perform hundreds of vulnerability scanning and penetration testing activities against ourselves on a continuous basis. We perform vulnerability scanning continually against our internal networks, applications, and corporate infrastructure. Network-based and application-level vulnerability scans run at least daily to ensure that we detect and respond to the latest vulnerabilities. Static code analysis automatically reviews the most current code to detect potential security flaws early in the development lifecycle.

Data Leakage Protection

Customer data is stored in a multi-tenant storage system accessible to Customers via only application user interfaces and application programming interfaces. The authorization model in DC is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Encryption In-Transit and At-Rest

All sensitive interactions with the DC (e.g., API calls, login, authenticated sessions to the website, etc.) are encrypted in-transit. DC leverages several technologies to ensure stored data is encrypted at-rest. DC uses AES-256 encryption with an additional salt. Additionally, certain databases or field-level information is encrypted at-rest, based on the sensitivity of the information. For instance, user passwords are hashed and certain email features work by providing an additional level of both at-rest and in-transit encryption.

User Authentication and Authorisation

DC enforces a uniform password policy. The password policy requires a minimum of 8 characters that include a combination of lower and upper case letters, special characters, whitespace, and numbers. The minimum requirement cannot be changed. Application programming interface (API) access is enabled through either API key or Oauth (version 2) authentication and authorization. Additionally, Oauth is required of all featured integrations. Authorization for Oauth-enabled requests is established through defined scopes.

DC User Access

DC controls individual access to database within its production and corporate environment. A subset of DC’s employees are granted access to production database based on their role in the company through role based access controls (RBAC) or on an as-needed basis referred to as JITA (just in time access).Access to the production environment is strictly restricted to meta-data or schema changes and not to the data.

​​​​​​Security Model

DC’s Security Model is inspired by the Biba Security Model, a formal state transition system of computer security policy that describes a set of access control rules designed to ensure data integrity. Data and subjects are grouped into ordered levels of integrity.

DC’s security model aims to:

  • Prevent data modification by unauthorised parties
  • Prevent unauthorised data modification by authorised parties
  • Maintain internal and external consistency

Compliance & Certifications

We have established an overarching framework through ISO 27001:2013 to manage data privacy and personal information as part of the broader management of information risks, information security and related compliance, incident management and business continuity issues. Customer’s data security has also been tested through various independent security third party audits like ISO 27001:2013, SOC 2 Type 2 & other technical assessment (viz. ITGC & VA-PT).

We’ve always worked hard to demonstrate that our products are secure and meet the standards of applicable data protection rules. We offer transparency to users through clear explanations of how we use data, taking prior consent on the lawful usage of any PII that we have collected and giving people controls to manage their privacy. DC ensures that data collected is adequate, relevant & not excessive; as well as governed by strict retention and disposal policy.

We conduct regular audits, maintain certifications, provide industry-standard contractual protections and harden process to adhere to compliance. As we get ready for the GDPR, we’ll continue on that path. Our aim is always to keep data private and safe – and to put our users and partners in control.

We on the verge of developing Data Security Compliance Checklist basis on the following parameters:

  1. Understanding the type of data we are handing and where it is being stored.
  2. We are stepping ahead of implying Effective & Efficient Risk Management process, which ensure a level of comprehensive security appropriate to the risk
  3. We are developing Comprehensive Policies and Procedures
  4. We are figuring out appropriate and effective controls for data management and security.

Our recent initiative is to mapping our current information certification ISO 27001:2013 with GDPR.  On 25th May 2018, Europe’s new General Data Protection Regulation (GDPR) came into force, replacing the 1995 EU Data Protection Directive.

For further information and queries regarding Security and Privacy please contact DC Risk and Compliance office at: amitabha.neogi@nexval.com.

  • Customer Trust and Protection – consistently deliver superior product and service to our customers while protecting the privacy and confidentiality of their information.
  • Availability and Continuity of Service – ensure ongoing availability of the service and data to all authorized individuals and proactively minimize the security risks threatening service continuity.
  • Information and Service Integrity – ensure that customer information is never corrupted or altered inappropriately.
  • Compliance with Standards – implement process and controls to align with current international regulatory and industry best practice guidance. We have designed our security program around best -of-breed guidelines for cloud security. In particular, we align our practices with ISO/IEC 27001:2013 and SOC 2.