DEEP Platform Privacy and Security
DEEP is committed to safeguarding your personal information and intellectual property and ensuring the highest level of security for our users. Our platform employs advanced security measures and follows stringent privacy practices to protect your data. Here, you will find more information about the technical and security architecture and access management in our commitment to maintain a safe and secure digital environment for all our users.
Technical Architecture
Security is built-in at all levels of the DEEP System - in both its hardware and software. The WAF provides centralized protection for DEEP’s web applications from exploits and vulnerabilities and is based on the OWASP core rule sets. The WAF includes the following features:
-
Secure Sockets Layer (SSL/TLS) termination
-
Autoscaling
-
Web Application Firewall
-
URL-based routing
-
Multiple-site hosting
-
Websocket and HTTP/2 traffic
Users can confidently manage data knowing that the system implements controls to ensure good security, data processing integrity, data confidentiality and data privacy compliance. DEEP utilizes services that are compliant across several certifications.
Security Architecture
Microsoft Azure periodically performs updates to improve the reliability, performance, and security of the host infrastructure for DEEP’s virtual machines.
The DEEP operations team have implemented segregation of duties (SoD) to ensure specific roles can perform their tasks effectively such as deployments, support, monitoring and performing health checks. Support access is managed through credentials with multi-factor authentication (MFA). Deployments are executed using accounts with specific IP address and ports combinations. All activities performed on the DEEP System throughout all phases of its product lifecycle are logged and audited.
The Web-Application Firewall (WAF) is Azure’s cloud-native service that protects web apps from common web-hacking techniques such as SQL injection and security vulnerabilities such as cross-site scripting. It will be used to block malicious actors and automated attacks. The data is safe from loss with configured backups done for the DEEP System components, both its services and data. The DEEP System’s data is encrypted at rest (database) and in transit (SSL/HTTPS). The DEEP data in Azure storage is encrypted and decrypted transparently using 256-bit AES encryption and is FIPS 140-2 compliant.
Confidential Page 18 of 25 Version 4.0, 20-Jun-2024
DEEP Platform - 3rd Party Capabilities
The DEEP System also leverages third party capabilities, which have been elected for their functionality, security posture, support, and resilience offerings. The third parties currently include:
-
Cloud Provider - Azure
-
Identity and access management - OKTA
-
Mission collaboration control - TalkJS
Access Management
Identity and Access Management (IAM) is managed at various levels and pervasive throughout the DEEP System. DEEP utilizes OKTA for both identity and access management, enabling DEEP to use both local identities and leverage of organization’s identity provider (IDP) to achieve single sign-on (SSO). The DEEP system implements OAuth 2.0 as its authorization protocol. Whilst all identities are managed in OKTA, it also manages access through defined roles (Admin, Creator, Reader).
The DEEP System further manages access through association of a user in an organization. Each entity instance, such as Catalog content or new content created in a Mission, has an owner organization whose users have access to the instance based on their role (Admin, Creator, Reader).
Each entity instance can furthermore be shared with other organizations (referred to as member organization) whose users (regardless of their role) are all automatically provided with reader rights to the entity. In addition, the system makes provision for collaboration amongst organizations through the creation of a synthetic organization. This is made up of a collection of natural (juristic) organizations and synthetic organizations can themselves behave either as owner or member
organizations.
The DEEP System can be configured to provide Single Sign-on for customer organizations.
Building Digital Measures