1. Introduction and purpose of document
This Security Policy describes how the Dokumentárna.cz service (operated by DomusDigital, s.r.o.) ensures protection of data, documents and personal data stored by users in the cloud system.
The purpose of the document is to provide a clear and transparent overview of security measures.
2. Infrastructure security
2.1. Hosting and data centers: The service is operated in a professional data center within the European Union. The data center meets international standards such as ISO 27001, ISO 27017, ISO 27018, or equivalents. Data centers are equipped with physical security: continuous surveillance, camera systems, access control, redundant power and air conditioning, fire and flood protection systems.
2.2. Servers and services: Servers are regularly updated, monitored and patched. The system runs in isolated environments with access control. Access to production data is strictly limited to authorized persons.
3. Data protection
3.1. Encryption: All communication between the user and the service is secured using TLS/HTTPS. Sensitive data is stored only in encrypted form (where technically appropriate). Access passwords are stored using hashing algorithms (bcrypt/argon2).
3.2. Backup: Data is backed up daily. Backups are stored separately from the production environment. Backup retention period: 7 days (can be extended in higher plans).
3.3. Data isolation: Each account has a strictly separated data space. Access by another user to foreign data is not possible.
4. Access and permission management
4.1. Authentication: We use secure authentication procedures with protection against brute-force attacks. Support for multi-factor authentication (if you want it later, I'll add it).
4.2. User permissions: The system supports roles and access rights according to the plan. Users have access only to documents to which they have permission.
4.3. Administrator access: Administrators have access only to necessary parts of the system. Every administrative intervention is logged.
5. Application and software security
5.1. Development standards: The application is developed according to OWASP Top 10 recommendations. Regular internal code reviews are conducted. Deployment takes place through a controlled build pipeline.
5.2. Protection against attacks: Protection against attacks such as: SQL Injection, XSS (Cross-site scripting), CSRF (Cross-Site Request Forgery), Session hijacking, brute force attacks.
5.3. Monitoring and alerts: The system has monitoring of performance, availability and access. Upon suspicion of an incident, an internal security procedure is immediately initiated.
6. Security incidents
6.1. Detection and response: The Provider actively monitors reports of security breaches. In case of an incident: immediate isolation of the affected part of the system, analysis of the cause, minimization of impacts, recovery from secured backups (if needed).
6.2. Notification to Controller: If it is an incident concerning personal data, the Provider will notify the Controller: type of incident, scope of affected data, measures taken, recommendations for the Controller.
7. User responsibility
To ensure full security, the user undertakes to: protect their access credentials, use strong passwords, not access the service from unsecured devices, immediately inform about suspected account breach.
8. Testing and audit
The Provider continuously evaluates security measures. The customer may request information about security processes to the extent appropriate to the type of service. Penetration tests are performed according to internal plans (if you want it as a service, I'll add it).
9. Security policy changes
The Security Policy may be updated according to the development of technology and threats. The current version is always available on Dokumentárna.cz.
10. Effectiveness
This Security Policy takes effect on [fill in date].