Introduction

Daxap’s mission is to create solutions that have a positive societal impact and make everyday life easier for both organizations and their customers. We believe that we need to make your data secure and protect your data. It is one of our most important responsibilities. We are dedicated to being open about our security measures and assisting you in comprehending our methods.

Organizational Security

Daxap has established an Information Security Management System (ISMS) from the start of the company and successfully achieved ISO-27001 Certification in September 2023. Daxap’s security program is aligned with ISO 27001 and is constantly evolving with other industry best practices.

Daxap fulfills all the requirements of ISMS with the security team, led by our Chief Information Security Officer (CISO). The team implements and manages the security program. In this regard, there are 31 Policies, 16 Procedures, and 134 Evidence Tasks to implement the controls and clauses of ISO-27001. Daxap has also established an Asset Management System, Incident Management System, Risk Management System, etc., and executed personnel trainings and internal/external audits to manage ISMS.

As Daxap, we are committed to the following statements to manage Information Security:

• Daxap shall continuously improve and align information security practices to global best practices and standards.
• Daxap shall maintain the highest standards of information security management and ensure customers’ data is protected.
• Information should be classified and handled according to its criticality and sensitivity as mandated by relevant legislative, regulatory and contractual requirements.
• Appropriate contacts shall be maintained with relevant authorities, special interest groups, or other specialist security forums.
• Requirements for confidentiality or non-disclosure agreements reflecting the organization’s needs for the protection of information shall be identified, regularly reviewed, and documented. Any information shared by Daxap with prospects, prior to entering, and for the duration of, a contract, shall be done in accordance with the established confidentiality or non-disclosure agreements.
• Daxap’s information asset inventories shall be reviewed and updated when a new asset is added and/or an existing asset is upgraded.
• A risk assessment process for Daxap’s information assets shall be defined and followed. Risk treatment shall be carried out through the process of continuous improvement.
• Internal assessments or audits of Daxap’s Information Security Program shall be performed periodically, and any gaps or findings shall be remediated promptly.
• Information security policies shall be reviewed regularly by management. Daxap employees shall acknowledge their adherence to these information security policies and practices annually.
• Roles and responsibilities of senior officials and staff shall be clearly defined and communicated to relevant individuals.
• Anti-virus and anti-malware solutions shall be deployed on system components.
• Prevention, detection, and recovery controls to protect against malware and phishing attacks shall be implemented by Daxap, and these will be combined with appropriate user awareness.
• Security awareness trainings for employees shall be provided regularly.
• Disaster Recovery Plans (DRPs) and Business Continuity Plans (BCPs) shall be reviewed and tested at least annually.
• Change and vulnerability management controls shall be established and implemented.

Protecting Customer Data Security

As Daxap, we prioritize the security and integrity of your information. Establishing ISMS and achieving ISO-27001 Certification underscores our commitment to maintaining the highest standards of information security management, ensuring your data is protected with the utmost care and diligence.

As Daxap, we are committed to the following statements to protect customer data:

• Securely Design - Daxap’s products are aimed to be developed securely from design to final stage. Daxap has two main policies for this purpose: “Software Development Policy” and “Secure Coding Policy”. Daxap shall maintain a robust secure development lifecycle and follow OWASP Secure Coding Practices.
• All data in transit between Daxap clients and the Daxap services is encrypted using strong protocols. Daxap employs the latest recommended secure cipher suites to encrypt all in-transit traffic, including Transport Layer Security (TLS), Internet Protocol Security (IPSec), Secure Shell (SSH), etc. whenever the clients support them.
• For data at rest, Daxap’s production network is encrypted using methods such as Advanced Encryption Standard (AES) or RSA. This applies to all types of data stored within Daxap’s systems, including relational databases, file stores, and database backups.
• Encryption - Daxap uses AWS as its servers and data centers where secure environment and physical protection are provided.
• Network Segregation and Security - Daxap separates its systems into distinct networks to enhance the protection of sensitive data. Systems used for testing and development are hosted in a different network from those supporting Daxap’s production infrastructure. Access to Daxap’s production environment from open, public networks (the Internet) is restricted. Daxap logs, monitors, and audits all system activities and establishes alerting within provider capabilities for all potential threats.
• Access to Systems - While granting access, Daxap adheres to the concept of least privilege and “deny all” by default, allowing only authorized access to systems accordingly with roles and responsibilities, to prevent any kind of data leakage.
• Daxap requires all employees to use Multi Factor Authentication (MFA) to log into all systems where possible and appropriate.
• Daxap mandates that staff utilize an authorized password manager which create, save, and input distinct and complex passwords to prevent password reuse, phishing attacks, and other password-related threats.
• Logging and monitoring the systems - Access to Daxap’s network, systems, and communications shall be logged and monitored to identify potential misuse of systems or information. Logging activities shall include regular monitoring of system access to prevent attempts at unauthorized access and confirm access control systems are effective. Log servers and documents shall be kept secure and only made available to authorized personnel. These logs shall be retained as long as necessary or required for functional use or appropriate state regulation or law.
• Data Retention and disposal - Disposal of customer data will be carried out in accordance with the contractual agreement between Daxap and the customer. In the absence of any contractual agreement, an automatic script shall be initiated on any Daxap platform containing customer data. This activates a full hard delete of customer data on the platform. It is the responsibility of Daxap’s hosting providers to ensure that data is properly removed from disks before they are reused.
• Responding to Security Incidents - Daxap has established an incident management process to correctly identify, contain, investigate, and remediate incidents that threaten the security or confidentiality of Daxap’s information assets. All security incidents are managed by Daxap’s dedicated personnel. As needed, the security incidents would be reported outside of Daxap immediately by the designated person.
• Third-Party Providers (Vendor) Management - Daxap depends on third-party organizations/apps to operate efficiently. Since these third-party services could affect the security of Daxap’s production environment, we take necessary measures to maintain our security standards by creating agreements that obligate these service organizations to uphold the confidentiality commitments. Daxap ensures the effectiveness of these organizations' safeguards by reviewing their controls before engagement and at least once a year.
• Third-Party Validation - Daxap continuously monitors and improves the effectiveness of ISMS activities. These audits are performed not only by internal auditors but also by third-party credentialed assessors. Those internal and external audit results are shared with senior management and tracked to resolution.

Conclusion

We have a fundamental commitment to safeguarding your data. We believe that protecting your data is a crucial duty we owe to our customers, and we persistently strive to uphold that trust. Please don’t hesitate to reach out to us for any concerns or questions.