Security Policy

Last Updated: [September 29, 2024]

At dynhyp, security is our top priority, and we are deeply committed to protecting your data privacy. We adhere to industry best practices with the utmost rigor.

Security Practices

Our security practices include:

  • Data encryption at rest for all our data stores
  • Data encryption in transit for all network communication, internal or external
  • Strict controls and policies for employee access to production systems
  • Minimal scope credentials with periodic rotation
  • Mandatory SSO with MFA for all critical services
  • Automated vulnerability scanning of software dependencies
  • Regular upgrades of software dependencies (typically weekly)
  • Regular assessment of all third-party risks
  • Clear separation between control plane and data plane
  • Limited retention of PII in our observability system (max 2 weeks)
  • Continuous monitoring of security news and threat intelligence feeds

Infrastructure Security

The dynhyp service runs on AWS and Cloudflare, ensuring robust physical security for our servers:

  • AWS compliances: PCI-DSS, HIPAA/HITECH, FedRAMP, FIPS 140-2, NIST 800-171
  • Cloudflare certifications: SOC 2 Type II, FedRAMP Moderate, PCI DSS 3.2.1, and more

dynhyp is GDPR compliant and is actively pursuing additional compliance certifications. If you require a specific certification to use dynhyp, please contact us.

Responsible Vulnerability Disclosure Program

We greatly appreciate the security community's efforts in responsibly disclosing vulnerabilities, helping us maintain the safety of our customers' data.

Reporting a Vulnerability

If you discover a vulnerability:

  1. Email support@dynhyp.com with your findings.
  2. For new vulnerabilities assessed as medium severity or higher, we may offer a bounty at our discretion.

Guidelines for Vulnerability Testing

When searching for vulnerabilities, please:

  • Avoid privacy violations, data destruction, and service interruptions
  • Keep all vulnerability information confidential until we publicly disclose it
  • Do not perform any DoS or DDoS attacks
  • Do not use automated scanners without our explicit permission
  • Provide sufficient information to reproduce the vulnerability

Our Commitment

We promise to:

  • Respond to your message within 3 business days
  • Keep you informed about mitigation and resolution progress
  • Handle your report with strict confidentiality
  • Give you credit for finding the vulnerability if we publish a public report

Out of Scope

The following are considered out of scope and not eligible for rewards:

  • Bugs with no security implications
  • Email spoofing
  • Social engineering and phishing
  • DoS or DDoS attacks
  • Any vulnerability against the feedback.dynhyp.com sub-domain

We are committed to maintaining the highest standards of security and appreciate your cooperation in keeping dynhyp safe and secure for all our users.