Security Policy
This page outlines the security measures and principles our team applies, so you could safely migrate your data.
Privacy By Design and By Default
Help Desk Migration considers data privacy on the onset of all projects, products, product development, and Services offered. It is never an afterthought. Help Desk Migration’s Data Protection Officer is involved in all issues, measures, and (software) designs related to security and has independent and direct access to all source code.
Safety Measures at Help Desk Migration
Help Desk Migration has installed numerous technical and organizational measures to ensure an appropriate (data) protection level. These measures include:
- Taking the circumstances and purposes of the processing into account, as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities.
- Enabling an immediate detection of relevant infringements events.
Technical Measures
Technical measures are divided into various subsections, each of them separately discussed.
Employee-related security
- All workstations (laptops & desktops) of employees are encrypted using disk encryption.
- Access to various web applications accessible by employees are using single-sign-on and two-factor authentication (Google Oauth) and require a Virtual Private Network (VPN) when working remotely.
- Administrator access to the Help Desk Migration Platform Management interface is only allowed by VPN.
Personal Data
All personal data is kept using a retention period. Backup data is stored in proprietary binary format (“pseudo encrypted”) and separated per client. Graylog required for system monitoring has a retention period of 30 days max.
Data Storage
All data silos are installed and managed in our infrastructure, except for Amazon S3, located in Germany. Each data silo can only be accessed through our Virtual Private Network:
- Public network traffic uses Secure Socket Layer (SSL).
- Private network traffic is currently unencrypted; we use HTTPS termination on LB.
Data Monitoring
We closely monitor data access and transformation. Audit logs of who accessed data are in place and stored for an unlimited period. We currently only monitor our centralized data access interfaces; native clients are not monitored.
Network Security
Help Desk Migration network security team protects your data against the most sophisticated electronic attacks. We use the best and proven practices of network security.
Help Desk Migration offers the following preventive measures:
- network firewalls.
- DDoS preventions.
- network posture assessment.
Data access and authentication
Only authorized tech engineers at Help Desk Migration have access to the source code, can work on custom migrations, and solve support cases on demand of the support staff. Different engineers have different access rights depending on their job requirements. All engineers have their own credentials as well as some parts of the software can only be reached from specific IPs.
Production environment security
- Logging in to the servers is only possible by means of public/private key exchange; passwords are not used.
- The administration panel requires two-factor authentication.
- All security updates are automatically installed, and the server is always up-to-date.
- Strict firewall configuration from the public internet that only allows HTTP and HTTPS access on load balancers.
- Communications to and from the servers, as well as backups, are only performed via secured channels (SSL / HTTPS).
- SSH is only accessible by private VPN.
- There is active monitoring (gray log + alerts) and the banning of incorrect login attempts (fail2ban).
- All (virtual) servers are hosted externally.
Hosting & Infrastructure
Help Desk Migration hosts its complete infrastructure at AWS. All of our (virtual) servers & services and our data storage are located within the European Union (Germany). This includes our backup copies stored in Amazon Web Services S3 (AWS), whose designated location is Germany (Frankfurt).
AWS products are compliant with GDPR, and there’s a long list of other compliance programs.
For instance, data center parks are protected from fire and natural disasters. Only authorized personnel can access via electronic access control terminals with a transponder key or admission card. Data parks are under 24/7 surveillance and are equipped with diesel power generators for autonomous mode.
Data Transformation
All our data processing is based on events, single small pieces of immutable data that encapsulate a unique event that occurred in the past. We use these events to construct data representations and data profiles, and since events are immutable, direct data transformation is not possible by default.
Other than correcting data belonging to a Data Subject, it is impossible to alter or correct data stored in our data silos, with the sole exclusion of Database Administrators.
Data-in-transit & Data-at-rest
Data-in-transit is defined by two categories: information that flows over the public or untrusted network such as the internet, and data that flows in the confines of a private network such as a corporate or enterprise Local Area Network (LAN). At Help Desk Migration, all data that flows through public networks is encrypted using SSL. Our private networks are heavily protected and, thus, not accessible by the public, making it not necessary to be using SSL.
Data-at-rest is data that is not actively moving from device to device or network-to-network, such as data stored on a hard drive, laptop, flash drive, or archived/stored in some other way. Data protection at rest aims to secure inactive data stored on any device or network. While data-at-rest is sometimes considered less vulnerable than data in transit, attackers often find data at rest a more valuable target than data in motion. At Help Desk Migration, all hard disks (or desktops, laptops, and servers) use disk encryption by default.
Organizational Measures
Security
We have the following organizational measures in place concerning security:
- Centrally organized public key (key) registration for access to the servers; a key can be withdrawn within several minutes (during office hours Monday to Friday, 09.00 - 00:00 GMT+2).
- Code review is required for all software that communicates with the Database.
- Use of a development model for software that works with minor updates on each occasion to minimize the security impact of the updates.
- Only the employees who must maintain the Database server have access.
- Audit-logging of all attempts to login into the Database server.
- Employees cannot physically access the servers.
- All employees are obliged to maintain confidentiality (see Confidentiality).
- The backup system enables (disaster) recovery to be carried out within several hours (during office hours Monday to Friday, 09.00 - 00:00 GMT+2).
Confidentiality
All employees of Help Desk Migration have signed an explicit clause in their employment contract that enforces confidentiality during the employment contract as well as thereafter - regardless of the manner in which and the reasons for which the employment contract has ended - to refrain from making any statement to third parties, in any way, directly or indirectly, or in any form, about data of a confidential nature in connection with the business of Help Desk Migration and/or affiliated companies.
Business Continuity
Help Desk Migration offers an escrow service that guarantees the continuation of our services for at least six months. Our escrow services are provided by an alternative business entity, i.e., Relokia, which is part of the Help Desk Migration family.
Addition to security policy - dedicated AWS server
A dedicated AWS server can make enterprise data migration a better controlled, seamless experience. You can run a separate virtual Amazon EC2 (Elastic Compute Cloud) instance and have a new level of customization and security and benefit from built-in compliance. To be more specific:
- Resources are allocated just for you. You can be certain that the hardware you’re using isn’t shared with anyone else. We can completely isolate your EC2 instance by restricting access for anyone except our experts and your team.
- Enhanced infrastructure security. As part of the Amazon Elastic Compute Cloud, your dedicated instance inherits all the industry-standard and advanced security features of the ecosystem. You can view a detailed list of available infrastructure security options here.
- Data encryption. Dedicated AWS EC2 instances fully support 256-bit encryption at rest and in transit, so your data can't be decoded even if its transmission is intercepted. It also works for cross-border transactions.
- A wide selection of server locations. Multiple locations are available to host your data migration. This guarantees 1) uninterrupted availability and lightning-fast performance, and 2) choice of servers within specified regions and ensures data residency compliance for data storage and transfer.
- Compliance out of the box. All AWS products are compliant with GDPR, and there’s a long list of other compliance programs. And if your compliance needs are highly specific and complex, you can always count on our team's help in finding the best solution.
Security Audits
Regularly, we scan all systems to prevent any vulnerabilities. The software is constantly updated, so all connections to the previous version are limited, logged, and checked.
We comply with your confidentiality and guarantee that all your help desk data is 100% secure before, during, and after the migration. We take appropriate security measures to protect against unauthorized access to or unauthorized alteration, disclosure, or data destruction. These include internal reviews of our data collection, storage, and processing practices and security measures, as well as physical security measures to guard against unauthorized access to systems where we store personal data.
Subcontracting
Help Desk Migration does not work with any subcontractors that provide services that relate directly to the provision of the principal services as described in this document. Concerning ancillary and auxiliary services provided by third parties (e.g., telecom, hosting), when possible, Help Desk Migration makes appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client’s data, even when such services are outsourced.
Disaster Recovery
Help Desk Migration has disaster recovery (DR) procedures, policies, and scripts defined and in place.
Segregation of Duty (SoD)
The basic concept underlying segregation of duties is that no employee or group should be in a position to perpetrate or conceal errors or fraud in the normal course of their duties. In general, the principal incompatible duties to be segregated are:
- Authorization or approval of related transactions affecting those assets.
- Custody of asset.
- Recording or reporting of related transactions.
The importance of SoD arises from the consideration that giving a single individual complete control of a process or an asset can expose the organization to risk. Principally, several approaches are optionally viable as partially or entirely different paradigms:
- Sequential separation (two signatures principle).
- Individual separation (four-eyes principle).
- Spatial separation (separate action in separate locations).
- Factorial separation (several factors contribute to completion).
Increased protection from fraud and errors must be balanced with the increased cost/effort required. Help Desk Migration currently has installed the following:
- Audit trails are in place: server logging, data access logging, configuration changes, user auditing, etc. See technical measures.
- Our development methodology encapsulates code reviews and merge requests, both enforce the “four-eyes principle."
- We have off-site backups stored outside our main data center to bypass force majeure at a single location.
How you can secure your account
Two-factor Authentication
The Help Desk Migration team provides you with the opportunity of 2FA while logging in to your Migration Wizard account.
This way, you will add an extra layer of security to the application and go through two identificatory steps while gaining access to your data:
- Firstly, you’ll need to enter your email and password or sign in with your social media profile.
- Secondly, you’ll be required to reaffirm your willingness to log in to your Migration Wizard account by providing a variable code generated by the authenticator application that has to be installed on your phone.
Only after passing these two verification steps, you will get access to your Migration Wizard account.
If you decide to enable it, simply go to your Account Settings > Two Factor Authentication and drag the slider to the right.
The Monitoring of User Activity Sessions
The Help Desk Migration service allows you to view the history of user activity sessions in Migration Wizard.
As follows, you will be able to track all information about any user activity in your account. Such details as IP address, the device used during the session, and the login time will be recorded each time somebody logs into your Migration Wizard account.
Moreover, all actions that will be performed during user activity sessions will be captured. Finally, you’ll have an option to revoke any previously performed session. So, if you granted access to your account to someone on your team, you will be able to revoke any user activity session on their device if needed.
In order to gain information concerning user activity in Migration Wizard, go to your Account Settings > Active Sessions.
Certification & Compliance
HIPAA Compliance
Help Desk Migration is not in compliance with HIPAA.
EU GDPR
Help Desk Migration is compliant with the requirements of the General Data Protection Regulation. You can learn more information by visiting this page.
ISO/IEC 27001:2013
Help Desk Migration data centers are compliant with ISO/IEC 27001:2013 since our hosting provider, AWS.
PCI DSS
Help Desk Migration uses 2Checkout and PayPro to accept payments. Both providers are certified PCI Level 1 Service Providers, the most stringent level of certification available in the payments industry. You can verify this by checking 2checkout’s fraud protection policy and PayPro’s compliance page.
Note, that we do not store or process any of your payment data.
Frequently asked questions
Why does Help Desk Migration need specific permissions to perform the migration?
Help desk apps require users willing to migrate their data to have advanced privileges (admin rights). That’s because admin accounts have the right to read and write data. Help Desk Migration simply complies with these requirements.
In addition, some help desk apps will require you to allow our Migration Wizard to access your data. This is done for safety reasons; It is also necessary to make the migration possible. Our tool will not be able to move your data unless you allow it to do so.
Is it possible to delete all data that relates to me?
Yes, you may contact your account manager and request to delete your personal data. Regarding the data stored on our server during the migration, it is automatically deleted 10 days after you had completed the Demo, connected your source or target instances, and 5 days after completing the Full Data Migration. You will see that your migration has been archived.
If you’d like, you can request to have it removed faster.
Are SSO options available?
Yes, of course. You can sign up/sign in using your Google, Facebook, or LinkedIn account. No need to come up and remember another password. Quickly and easily sign in and get your data moving.
How to report a security vulnerability?
If you believe you’ve found a security vulnerability in our data migration tool, please contact us at contact@help-desk-migration.com. Also, include the following to help investigate the case:- Description of the location and potential impact of the vulnerability.
- A detailed description of the steps required to reproduce the vulnerability (POC scripts, screenshots, and screen captures are all helpful to us).