Last Updated: April 28, 2022
At DeepDyve, Inc. (DeepDyve), we are committed to protecting the confidentiality, integrity, and availability of our information systems and our customers' data. We are constantly improving our security controls and analyzing their effectiveness to give you confidence in our solution.
Here we provide an overview of some of the security controls in place to protect your data.
You can reach our security team at [email protected].
DeepDyve uses infrastructure from Google Cloud Platform (GCP) for data center hosting. Our provider data centers are certified as ISO 27001, PCI DSS Service Provider Level 1, and or SOC 1 and 2 compliant.
Our providers employ robust controls to secure the availability and security of their systems. This includes measures such as backup power, fire detection and suppression equipment, and secure device destruction amongst others. Learn more about Data Center Controls at Google Cloud Datacenter Security.
GCP implements layered physical security controls to ensure on-site security, including vetted security guards, fencing, video monitoring, intrusion detection technology, and more.
DeepDyve has a dedicated security team to respond to security alerts and events.
Third-party penetration tests are conducted against the application and supporting infrastructure at least annually. Any findings as a result of tests are tracked to remediation. Reports are available on request with an appropriate NDA in place.
DeepDyve leverages threat detection services within GCP to continuously monitor for malicious and unauthorized activity.
DeepDyve performs regular internal scans for vulnerability of infrastructure. Where issues are identified these are tracked until remediation.
Deepdyve uses a number of DDoS protection strategies and tools layered to mitigate DDoS threats. We utilize GCP's sophisticated network services with built-in DDoS protection as well as native GCP tools and application-specific mitigation techniques.
Access is limited to the least privilege model required for our staff to carry out their jobs. This is subject to frequent internal audit and technical enforcement and monitoring to ensure compliancepan>
In-transit communication with DeepDyve is encrypted with TLS 1.2 or higher over public networks. We monitor community testing and research in this area and continue to adopt best practices in terms of cipher adoption and TLS configuration.
DeepDyve data is encrypted at rest with industry standard AES-256 encryption. By default we encrypt at the asset or object level.
DeepDyve’s Quality Assurance (QA) team reviews and tests code base on a per-application basis. The security team has resources to investigate and recommend remediation of security vulnerabilities within code. Regular syncs, training, and security resources are provided to the QA team.
Development, QA/staging, and production environments are logically separated from one another. No customer data is used in any development or test environment.
DeepDyve delivers a robust Security Awareness Training program which is delivered within 30 days of new hires and annually for all employees. In addition, we roll out quarterly focused training to key departments including Secure Coding, Data Legislation, and Compliance obligations.
DeepDyve has a comprehensive set of information security policies covering a range of topics. These are disseminated to all employees and acknowledgement is tracked on key policies such as acceptable use, information security policy, and our employee handbook.
All DeepDyve employees undergo a background check prior to employment which covers 5 years criminal history where legal and 5 years employment verification.
All employees are required to sign non-disclosure and confidentiality agreements.
Access to systems and network devices is based upon a documented, approved request process. Logical access to platform servers and management systems requires two-factor authentication. A periodic verification is performed to determine that the owner of a user ID is still employed and assigned to the appropriate role. Access is further restricted by system permissions using a least privilege methodology and all permissions require documented business need. Exceptions identified during the verification process are remediated. Business-need revalidation is performed on a quarterly basis to determine that access is commensurate with the user’s job function. Exceptions identified during the revalidation process are remediated. User access is revoked upon termination of employment or change of job role.
As a card-not-present merchant, DeepDyve outsources our cardholder functions to a PCI-DSS Level 1 service provider. A copy of our SAQ-A is available on request.
DeepDyve’s privacy policy, which describes how we handle data input into DeepDyve, can be found at Privacy Policy. For privacy questions or concerns, please contact [email protected].
DeepDyve understands the risks associated with improper vendor management. We evaluate and perform due diligence on all of our vendors prior to engagement to ensure their security is to a suitable standard. If they do not meet our requirements, we do not move forward with them. Selected vendors are then monitored and reassessed on an ongoing basis, taking into account relevant changes.
DeepDyve uses third-party sub-processors to provide core infrastructure and services which support the application. Prior to engaging any third party, DeepDyve evaluates a vendor’s security as per our Vendor Management Policy.
Vendor |
Location |
Service Provided |
PayPal |
US |
Payment Processing |
Twilio |
US |
MFA provider |
Google LLC |
US |
Cloud Services Platform |
Hubspot |
US |
Sales / Marketing Platform |
HelpScout |
US |
Customer Management Platform |
Airtable |
US |
Analytics Platform |
Customer.io |
US |
Marketing Platform |
At DeepDyve we consider the security of our system a top priority, and we believe that working with a skilled security researcher community helps improve our security posture.
If you believe you have discovered a potential vulnerability, please let us know by emailing at [email protected]. Encrypt your email using our PGP key to prevent this critical information from falling into wrong hands. We will acknowledge your email within 5 days. Please do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting/modifying other people's data. Only use the accounts you own or for which you have explicit permissions from the account holder.
Provide us a reasonable amount of time to resolve the issue before disclosing it to the public or third party and provide sufficient information to reproduce the vulnerability.
We recommend you include the following information when you report a security bug:
Exclusions:
While researching, we would like you to refrain from
DeepDyve does not offer cash rewards for reporting vulnerabilities.