Introduction
This document explains our security practices and policies and is an extension of our privacy policy and terms of use.
Offering a 2FA authentication service comes with a high responsibility to ensure security & privacy of our customers' data. Maintaining the confidentiality, integrity and availability of customer data is our top priority.
We work hard on delivering a world-class service by following and exceeding current industry best practices.
Responsible Disclosure Policy
If you are a security expert or researcher and you believe that you have found a security issue in any Daito system or application, we encourage you to contact us at security@daito.io asap.
Guidelines
Make a good faith effort to avoid privacy violations, the destruction of data and/or interruption of service.
Refrain from any (distributed) denial of service (DDoS) attacks against our infrastructure. This only incurs unnecessary costs and will most likely be shut down by Heroku anyway.
Do not perform non-technical attacks such as social engineering, phishing, or physical attacks against our users, employees, or infrastructure.
Please create a (free) trial account for your testing & security research. Do not attack or use production accounts.
Our commitment
We will acknowledge the receipt of your report within 24 hours.
We will investigate the report and work closely with you to ensure we fully understand the issue.
We will notify you when the reported security vulnerability is fixed.
Reporting
Send us an email at security@daito.io with details of the vulnerability that you have discovered. It would be helpful if you could include a detailed description, the steps to reproduce the issue, and the potential impact.
General Practices
Primary Security Principles
Security first - All planning & engineering has security as priority #1.
Privacy first - We generally aim to collect the smallest amount of data required to provide our service.
These 2 principles determine a lot of our thinking and approach to developing and maintaining Daito. This includes having a business model that is based on subscription revenue. Not your data.
Security practices of the team
All team members (whether internal or external) with access to any customer data must sign an NDA.
All development hardware with any customer data is fully encrypted and up to date.
2FA is in use for all third-party services that we use.
We use long, strong & randomly generated passwords that are never re-used.
Secure software development practices
We run automated and manual tests on all code before deploying to production.
Access to code and the ability to deploy to test or production environments is highly restricted.
We use mature and battle-tested standard libraries ("boring technology").
Our code base is automatically scanned periodically for vulnerable dependencies. Vulnerable dependencies are patched and redeployed as soon as possible.
All code & infrastructure elements are constantly monitored to detect anomalies early and prevent potential threats.
Ubiquitous Encryption
We use encryption where possible and feasible to ensure confidentiality of your data, even in the case of a breach.
Encryption of data in transit
In general: all connections between you and Daito and within the Daito platform are encrypted using https.
Strong TLS cipher keys using RSA, 2048 bits.
HTTP Strict Transport Security (HSTS).
Encryption of data at rest
Databases are encrypted at rest with AES-256
Application servers ("Heroku Dynos") are ephemeral and do not contain customer data.
Encryption of data at application level
2FA seeds are encrypted on application level using AES.
Certified Hosting
We rely on Heroku as our hosting provider. Heroku is owned by Salesforce and runs on top of Amazon Web Services.
Amazon's data center operations have been accredited under:
ISO 27001
SOC 1 and SOC 2/SSAE 16/ISAE 3402
PCI Level 1
FISMA Moderate
Sarbanes-Oxley (SOX)
Logging & log retention
We log all user & admin actions to ensure a full audit trail. Audit logs are anonymized where possible and feasible and do not include sensitive data like passwords and generated 2FA tokens.
We centrally collect infrastructure and application logs in addition to separate exception and application monitoring & logging.
Logs are retained for the maximum duration allowed per GDPR regulations before they are permanently deleted.
Insurance
We hold a € 3 Mio financial loss liability insurance (which includes commercial cyber liability insurance) and a € 2 Mio general company liability insurance.
Please contact us at security@daito.io should you have any questions not answered above.