Securing Your Data at Rest
Within our systems, all your data is stored using AES-256 encryption with a uniquely derived key for each user following the recommendations of NIST Special Publication 800-132. We encrypt every single personally identifiable field in the database, including your name and email address. For searching and indexing, we hash a small number of fields using HMAC. We apply the same encryption technique to all files you upload.
As with all systems such as ours, the security of your information depends on you. You must choose a strong password (we enforce that as best we can) and you should never share your password with anyone. Dex Merchant provides a much more secure system for sharing information with those you care about via our Deputy function.
Securing Your Data in Transit
All communications between you and Dex Merchant are encrypted via SSL using 2048-bit certificates and we require SSL on all communications. We are implementing perfect forward secrecy so that even if someone eavesdrops on your communication, they will still not be able to decrypt the data in the event that our key is compromised.
Operational Procedures to Keep the Site Secure
Dex Merchant follows best practices to keep your data secure. In addition to severely restricting access to operational environments (including private keys), we regularly audit our environments and code for security issues and apply patches expeditiously. We use commercial services that regularly check our site and we also retain our own security experts to probe and verify the security of our site.
Administrative Access to Your Information
Because your security and privacy is paramount to us, we limit what access our administrators have to your account to the limited set of data necessary to help grant you access to your account (by triggering confirmation emails, for example) and help you restrict access to your account in urgent circumstances (such as by limiting or removing a Deputy's access). Dex Merchant administrators can never see the plan information that you fill out or any documents that you upload. They may have access to limited meta-data (such as whether or not you uploaded a will) but not the data itself (they will never be able to see the will you uploaded). Dex Merchant logs and regularly audits all accesses to your account, whether by you, an administrator or your Deputies.