Data Storage & Data Encryption
All Client files containing customer data are stored on a virtual private server (VPS) at D2K Corp.’s data center which is fully SSAE 16 compliant. Client files are NEVER moved from this secure environment, other than sending files to Clients or Client-approved vendors following the procedures described in this document.
D2K Corp. will only accept files from Clients containing customer data that are encrypted using at least a 128-bit key encryption method. Our preferred vendor for encryption is Symantec with its PGP line of encryption products.
Client files containing customer data are individually encrypted at all times on our VPS, except for the specific time D2K personnel are working with a file, during which time the file must be in a decrypted (not encrypted) state. In addition to manually encrypting files, all files residing on our VPS are automatically separately encrypted by the VPS itself. Even if somehow an outside party were to access the VPS without a D2K authorized account that has name and password security, all files (even decrypted files being worked on by D2K) would be encrypted for the non-authorized party and would be useless gibberish to them. If D2K personnel leave their computer stations for ANY length of time, all customer data files being worked on must be encrypted prior to the employee leaving and their secure connection to the VPS must be closed down. There are NO exceptions to this procedure.
D2K Corp. will only accept files from Clients containing customer data that are encrypted using at least a 128-bit key encryption method. Since Client files containing customer data must be sent directly to our VPS in D2K Corp.’s data center, and D2K personnel NEVER move such files outside of this secure environment, the only approved method for delivering and receiving files containing customer data to and from our Clients is using a Secure File Transfer Protocol (SFTP). Sending files using email (even secure email) is not an acceptable method for transferring files, since our email server is outside of the secure environment of our VPS. If we receive any Client files containing customer data, encrypted or otherwise, as an attachment to an email we will immediately delete the email attachment using a secure deletion method.
Secure Data Deletion
When we delete files containing customer data, we use a secure method of deletion which completely destroys files and folders. Deleting a file using the Windows Recycle Bin is not a secure method of deletion and does not completely delete a file. Files deleted using the Windows Recycle Bin only get partially deleted until they eventually get overwritten by other data files. This is done to allow file recovery software to recover files that were accidentally deleted. In contrast, secure deletion methods such as PGP Shredder, immediately overwrite files multiple times so that even sophisticated disk recovery software cannot recover these files. Free space is also completely wiped so that deleted data is truly unrecoverable.