Last Updated: 22.10.2024
This Security Policy describes how Dealfluence Oy (also referred to as "Adeu", "Adeu Solutions", “Dealfluence”, “we” or “us”) will make sure your data and your client's data are secure when you interact with us, use the services on our platform, or our affiliates, including our application programming interface, software, tools, developer services, data, documentation and websites (“Services'').
1.1 Customer Data will be hosted by Dealfluence in data centers located in the EU.
1.2 Any Customer Data that is processed by Dealfluence’s vendors will similarly be restricted to being located in the EU or be fully compliant with GDPR.
2.1 Dealfluence encrypts Customer Data at-rest using AES 256-bit (or better) encryption. Dealfluence uses Transport Layer Security 1.2 (or better) for Customer Data in-transit over untrusted networks.
2.2 With respect to encryption keys, we regularly rotate encryption keys and utilize hardware security modules to safeguard critical security keys. Dealfluence logically separates encryption keys from Customer Data.
3.1 Dealfluence personnel access to our Cloud Environment is with a unique user ID and is consistent with the principle of least privilege. Access requires a secure connection, multi-factor authentication, and passwords meeting or exceeding reasonable length and complexity requirements.
3.2 Dealfluence personnel will not access Customer Data except (i) to provide or support the Service or (ii) to comply with the law or a binding order of a governmental body.
3.3 In accessing our Cloud Environment, our personnel will use laptops that utilize security controls that include encryption and that also include endpoint detection and response tools to monitor and alert for suspicious activities and malicious code and vulnerability management as described in Section 4.7.
3.4 Dealfluence shall protect its Cloud Environment using at least industry standard firewall and security practices.
3.5 Our Cloud Environment leverages industry-standard threat detection tools with daily signature updates, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, “Malicious Code”). Dealfluence does not monitor Customer Data or Input for Malicious Code.
3.6 Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, Dealfluence will use commercially reasonable efforts to address private and public critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days.
5.1 Our Cloud Environment (Azure) is maintained by one or more cloud service providers. We ensure that our cloud service providers data centers have appropriate controls as audited under their third-party audits and certifications. Each cloud service provider shall have SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls include:
- Physical access to facilities are controlled at building ingress points;
- Visitors are required to present ID and must be signed in;
- Physical access to servers is managed by access control devices;
- Physical access privileges are reviewed regularly;
- Facilities utilize monitor and alarm response procedures;
- Facilities utilize CCTV;
- Facilities have adequate fire detection and protection systems;
- Facilities have adequate back-up and redundancy systems; and
- Facilities have appropriate climate control systems.
5.2 Dealfluence does not maintain physical offices other than for than for limited corporate and executive purposes. Under no circumstances is Customer Data stored or hosted at such offices.
6.1 If Dealfluence becomes aware of a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a “Security Incident“), Dealfluence shall notify You without undue delay, and in any case, within 72 hours after becoming aware. You will be notified at the security notice email address indicated on your currently operative order form or as otherwise determined appropriate by Dealfluence.
6.2 In the event of a Security Incident as described above, Dealfluence shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year.
6.3 Dealfluence shall provide You with timely information about the Security Incident, including the nature and consequences of the Security Incident, the measures taken and/or proposed by Dealfluence to mitigate or contain the Security Incident, the status of our investigation, and a contact point from which additional information may be obtained. Notwithstanding the foregoing, Customer acknowledges that because Dealfluence personnel may not have visibility to the content of Customer Data, it may be the case that we are unable to provide detailed analysis of the type of Customer Data impacted by the Security Incident. Communications in connection with a Security Incident shall not be construed as an acknowledgment by Dealfluence of any fault or liability with respect to the Security Incident.
If you have any questions about our Security Policy or security-related issues, please contact our CTO at: