This security statement applies to the products and services offered by DLC Solutions, LLC, including “EthosCE.”
Our most important task is ensuring the security and confidentiality of our customers’ data. The following statement outlines the steps we undertake as part of fulfilling that responsibility.
Physical Security
Our data centers are SOC 2 compliant and located to mitigate environmental risks, such as flooding, extreme weather, and seismic activity. Perimeter access is controlled via methods such as security guards, fencing, security feeds, intrusion detection technology, and other security measures. Physical access is limited to data center employees and authorized personnel who have been approved for access and provide a valid business justification.
Compliance
DLC Solutions, LLC is SOC Type 2 compliant in the area of security and confidentiality.
DLC Solutions, LLC has completed a PCI SAQ-D certification audited and signed by a qualified security assessor.
Access controls
Access to our systems is protected by two-factor authorization. Employees are forced to update passwords regularly. We assign access on a need-to-know basis using the principle of least privilege. Access to assets and projects is reviewed regularly and access is revoked upon employee termination.
Employees
All DLC Solutions, LLC employees receive training on security relevant to their position and are required to pass a criminal background check. Employees are required to read and acknowledge our security and privacy policies every year. A written and oral reminder of security and privacy responsibilities is made monthly.
Vulnerability and web application scans
Our network and application is scanned weekly by a qualified security vendor for vulnerabilities and security issues. Penetration tests are conducted periodically.
Encryption
EthosCE encrypts data at rest using AES-256-GCM, and in transit using an SHA-256 RSA certificate algorithm and a 4096 bit key. Our certificates and configuration are rated “A+” by Qualys SSL Labs.
Development
All developers and staff complete security training and following secure coding practices. DLC Solutions monitors security vulnerability channels at all times and has a defined patching policy.
Infrastructure
In our hosting environment, our servers utilize a read-only file system, a minimal package set, and Security-Enhanced Linux (SELinux) is enabled.
EthosCE is run within containers, not directly on the host, creating a clear security boundary. Each container is then confined using a combination of SELinux in enforcing mode, control groups (cgroups), and kernel namespaces. These are the same technologies that have been delivering military-grade security for more than 10 years.
Public access to ports other than 443 and 80 are firewalled, and any server access is tunneled through a bastion server only available to restricted users. Security rules are used to firewall access between networks and create segmentation controls. Access to management consoles requires two-factor authentication and changes or updates to system configurations are flagged and emailed as alerts.
Logging
Application changes are logged in an off-site database for auditing purposes.
Breach notification
DLC Solutions pledges to notify customers if their application experiences a security breach and work with customers to remedy the issue quickly and openly.
Backups and disaster recovery
Full file and database backups are made nightly and databases are synced in real time to read-only standby cluster members in offsite location. Backup verification and disaster recovery are tested on a regular basis. All data is stored in the United States.
Customer responsibilities
Keeping your data secure also requires that you maintain the security of your account by using strong passwords and storing them securely. Customers should never share accounts or passwords. Customers must also ensure the security of their own systems.
Security issues may be reported to security@dlc-solutions.com