Documentación

Security

Suggest Edits

This guide explains the security measures and protocols implemented to ensure a safe and secure environment for our administrative portal and services.

At DEUNA, we prioritize the security of our platform and the protection of our customers' data.

Our commitment to security encompasses access control, user management, monitoring, and incident response, using industry-leading tools and standards.

Access control

Learn about access control in DEUNA.

Attribute-Based Access Control (ABAC)

The DEUNA administrative portal uses ABAC to control access.

All actions taken by each user are recorded with AuditLogs, which can be accessed by the merchant.

AuditLogs are stored:

  • Hot: Quick access by the platform for two years.
  • Cold: An additional year cold (requires DEUNA support).

TrailLog store all transactional data passing through DEUNA and comply with the same storage periods as AuditLogs.

AuditLogs and TrailLogs

AuditLog are stored according to the RFC5424 standard and include information on all actions performed on the DEUNA administrative portal.

TrailLogs store all transactional data processed by DEUNA.

Permission Delegation: DEUNA provides the merchant with permissions to manage actions, trades and resources according to its policies, with recommendations from DEUNA.

DEUNA allows you to delegate permissions on:

  • Actions
  • Shops
  • Resources.

User management

Learn about user managemenr in DEUNA.

User creation

Users are created through an email invitation process.

The invited user must create and confirm a password.

Password Requirements:

  • Length of at least eight characters.
  • At least one special character.
  • Validation against commonly exposed and known passwords.

Users can enroll in Multi-Factor Authentication (MFA) using Okta.

📘

Require MFA to be mandatory for your user accounts.

Managing inactive users

Every 60 days, an alert is sent to the merchant's super-admins notifying them of user inactivity.

Super-admins can deactivate or delete inactive users via the DEUNA administrative portal.

Users who are inactive for 90 days or more will be automatically deactivated. These periods can be customized to the needs of the business.

Continuous security monitoring

Learn about DEUNA's security monitoring.

Industry-leading tools

DEUNA uses industry-leading tools to monitor its systems, such as:

  • AWS GuardDuty: Continuous threat detection.
  • AWS Inspector: Security and vulnerability assessment for EC2, ECR, and Lambda functions.
  • AWS Security Hub: Consolidate security alerts and findings for prioritization and remediation.
  • KrakenD: Implements rate limiting and security measures to protect applications from overloads and malicious attacks.

Data Security

  • Data in Transit: Support for TLS protocols (TLSv1.2 and TLSv1.3) with strong ciphers such as:
    • TLS_AES_128_GCM_SHA256
    • TLS_AES_256_GCM_SHA384
    • TLS_CHACHA20_POLY1305_SHA256
  • Data at Rest: Encryption methods and automatic credential rotation to protect stored data.

Incident response and problem communication

Learn about DEUNA's protocols for incident responses.

Business Continuity and Disaster Recovery Plans (BCP and DRP)

DEUNA has a BCP and DRP designed for early response to incidents.

24/7 monitoring and guards for real-time detection and identification.

Incidents are classified into five categories, each handled according to a defined SLA to ensure a rapid and appropriate response.

Vulnerabilities and threats resolution

Severity Levels and Resolution Times:

SeverityOptimal timeMaximum timeTime acknowledge
Critical3 hours5 days30 minutes
High6 hours2 weeks30 minutes
Half6 hours2 weeks1 hour
Low5 days8 weeks1 day
Not triaged2 weeks6 months1 day

SLA criteria

Learn about the SLA criteria:

  1. Initial Notification: Customers will be notified within 72 hours of detecting a security incident affecting their personal data.
  2. Follow-up Updates: Regular updates will be provided at least every 7 days until the incident is resolved.
  3. Final Incident Report: Issued within 30 days of resolution, detailing cause, impact, and corrective actions.
  4. Acknowledgement of Receipt: Request for acknowledgement of receipt of notification within 24 hours. If an acknowledgement is not received, follow-up action will be taken to ensure customers are informed.
  5. Incident Resolution: The organization will endeavor to resolve the incident and implement corrective actions within 14 days of detection. If more time is needed, customers will be informed of the extension of the timeframe and the reasons for the delay.
  6. Internal Report:
    • All security incidents must be reported internally to the designated Data Protection Officer (DPO) or the relevant authority within 2 hours of detection.
    • The DPO will review and initiate an internal investigation within 4 hours of the initial report.
  7. Customer Support Response Time: The organization will provide support to customers affected by the security incident, with initial responses to support inquiries or requests within 24 hours.
  8. Postmortems: Required for P1 and P2 incidents within 3 and 7 days, optional for P3, and not required for P4 and P5. Key roles such as CTO, DevOps, and Team Leads participate based on priority. Bi-weekly Operational Readiness outreach and follow-up sessions.

Updated 2 days ago