The most important underlying principle we have adopted is Data protection by design. It is a well-known principle where privacy and security are taken into consideration through the whole product development process, from design to release, until the end of the life cycle. What does this mean specifically for us? It means that every feature or functionality request, be it from customers or sprouting from the product roadmap, is checked against the core security principles. Can this be done safely? What is the impact on privacy? What are the potential security implications? Only after the validation will it be moved forward to the design phase. It is not rare that a request is rejected for a security reason, or functionality is tweaked significantly to make sure the risks are mitigated.
On the other hand, we stay true to our main design principles and aim to provide a great user experience which we define as producing a maximum result with minimum effort from the user. This principle works beautifully with the product development mantra “Simple is good” producing an easy-to-understand and robust set of features that are more reliable, testable, and safer as a result.
It is a constant balancing act between security and usability to make sure that every click and validation we ask from the user is justified and truly makes the product safer, not only appear to do so. We want to avoid security by obscurity and pseudo-security as much as possible - for example, hiding a data field from the user’s view even though it has already been sent over to their computer does not protect said data.
In our eyes, the most precious thing we have in our hands is the data - of people, companies, deal rooms. Users have trusted us with their data and we must ensure it is not made available, on purpose or accidentally, to those who are not supposed to see it.
Historically, online safety and security principles are constantly evolving. For example, special characters were only recently considered a must for strong passwords. Now the online security community has concluded that highly complex passwords (for humans, that is) that are difficult to remember do not serve their purpose considering that the majority of data breaches happen as a result of phishing and stealing credentials. We keep an eye on the recent developments - not jumping on every new bandwagon, but rather trying to find a reasonable middle ground and adjusting when it makes sense.
It’s one thing to have good principles in place but another to put them into practice. How do we, day in and day out, make sure that you can trust our software?
One of the pillars of Dealum is that every piece of data entered on the platform belongs to someone - there is no information that doesn’t have an owner who decides what can or cannot be done with it and who can access it. The data ownership is mapped in detail and the map is built into the product. We use help texts extensively to make sure the user knows exactly what will happen when they enter data, click on a button or perform any other action.
The “need to know” policy also applies within the team to all data we hold. Access to data and server is only granted when it’s absolutely necessary to fulfil a task. And it’s not just WHO you are but also WHERE you are physically that limits your access to the server. We monitor server activity constantly and as soon as there is something out of the ordinary (like an unusual pattern), we investigate what is going on. It goes without saying that the backups are encrypted and antivirus runs in the server.
To prevent bugs and coding errors, all changes to the code are tracked and contributions are double-checked by another team member. A well-guarded “golden copy” of the code safeguards against any malicious activity happening in the server and also serves as a fall-back copy that helps us get back up and running faster in an emergency situation. We improve servers and software constantly and upload safety fixes outside regular releases when necessary.
Dealum platform follows OWASP Application Security Verification Standard 4.0 (level 1) and our servers are located within the EU. We have involved independent external consultants to evaluate and test our system and as a result of the Data Protection Impact Assessment concluded in 2020 can confidently say that your data is in good hands.
Trusting our users - that they do not abuse the system and behave responsibly - is built into our company DNA. We try to avoid restricting usage and posing limitations on users where possible and instead monitor the behaviour to reach out as soon as we see someone taking one step too far. For now, it has paid off and we’re happy to say that our customers treat the product with respect.
In addition to using the product the way it’s meant to be used, there are also the digital hygiene factors that help you and other Dealum users keep themselves safe in the virtual world. These may sound basic, but are always worthy of a brief reminder:
- Keep your username and password in a safe place (password managers are great!).
- Do not share your credentials with anyone, not even your colleagues (our accounts are free of charge, everyone can have their own).
- Do not use an outdated browser and keep your software updated.
- Do not leave your device without supervision and unlocked.
The last commandment is the most overlooked one - hands up, who remembers to always lock their computer screen when going for a cuppa in the office kitchen? But it’s also one of the worst-case scenarios - when someone ill-minded has accessed your computer desktop, they can do a lot of damage, no matter how strong passwords you have used online or how much effort the product development team has put into the software you use. We suggest you to practice hitting Windows+L (on PC) or Ctrl+Shift+Power (on Mac) every time you rise from your seat.
What to do if you believe your Dealum account has been compromised or notice software behaving in an unexpected way?
1) Go to your Personal Settings > Security tab > Click on “Log out from all devices”;
2) Change your password;
3) Contact us via firstname.lastname@example.org so we can investigate.
Although digitalisation and the use of online tools bring along changes to the way you safeguard your data, these changes are not always necessarily bad. We have developed Dealum with security in mind from the very beginning and will continue to prioritise it through the development process. Hopefully, this post helped you better understand our data and privacy protection principles. If you still have some questions then don’t be afraid to reach out to our support or your dedicated Account Manager - we are happy to share further insight!