Mydex Security Model
At Mydex we take security very seriously. We have taken extraordinary steps to maintain the security and integrity of our members’ information. But we understand that you need to know what we are doing to protect your information, so here are the details:
Secure foundations
Mydex is designed from the ground-up to be secure. From its platform architecture to our software development and systems administration, security is built into the very fabric of the service and how it is delivered.
In a world of ever-changing threats security can be likened to an arms race, so our approach is always to be as good as the best available or a step ahead. We apply many of the same security practices as your bank including encryption, verification and back-ups.
Secure servers, secure service provision
Mydex uses Amazon Web Services as its hosting provider. All your data is stored in encrypted form on UK-based servers managed by a specialist provider whose reputation has been built on ensuring the privacy, safety, and security of commercial and public sector customers, government, health and education around the globe.
Our servers sit inside buildings that are monitored 24x7 and cannot be accessed without security clearance - photo ID, pre-notified in advance - Access to any of our systems that hold any of your data is strictly limited. In line with our ISO 27001 certification, our hosting provider has no access to your data in the same way we don’t, which remains encrypted at all times on Mydex servers.
Our platform is constantly monitored and rigorously controlled using ‘zero touch’ deployment tools, static code analysis, code hardening and a hybrid testing model. We also use trusted third-party services to test for potential security weaknesses. We continually monitor threats and extend our testing capability proactively. We welcome anyone identifying potential issues, constant vigilance is our mantra.
Security in the round
Mydex systems are built using open source tools and code, proven in real world application. External scrutiny by a global community of developers provides a level of transparency and assurance that some commercial offerings cannot, in an era when relationships between corporations and nation states can sometimes be too close for comfort.
We are constantly evaluating new and improved security methods and techniques such as rotating ciphers, homomorphic encryption, biometrics and new forms of multi-factor authentication whilst constantly testing usability and convenience for our members.
Security threats go beyond the technology itself and are often targeted at human behaviour and the processes surrounding the technology. Mydex takes a formal approach to information security management and is ISO 27001 and Fair Data certified based on what we actually do day to day. By developing good practice based on practical reality and adopting an integrated, externally-auditable process of continual improvement we maintain the all-round vigilance your personal information deserves.
Encrypted data, encrypted communication
From the moment it is entered your personal information is encrypted using AES 512-bit encryption, the highest standard available today. Mydex is committed to using proven cryptographic methods which are open, readily available and trusted by the security community.
No matter what device you use to access your personal data store (PDS), from your desktop browser to your mobile phone, your data is always sent using 256-bit SSL with TLS 1.2 or higher – the highest standard communication security. So no-one can see or steal your data as it is transmitted to or from your PDS.
When you exchange data with Subscribing organisations you have agreed to send or receive data from it is encrypted using a one time password which is delivered via what is called a asymmetric key pairs, these are unique to your connection with that Subscribing organisation. Asymmetric keys enable data to be verified in terms of who the sender is data encrypted with one key can only be decrypted by the other key.
We distribute these private keys over our secure API’s at the point of first time connection using a separate asymmetric key system which is set up during the verification and certification of Subscribing organisations. We issue each Subscribing organisation with a private key and use store their public key with your PDS so you that when automatically encrypt data before transmission using the one time key you can securely send the one time key directly to them over your private connection. When the Subscribing organisation receives the encrypted data payload they use the one time key delivered out the private PKI channel to decrypt the data before processing into their own systems. We generate all keys using a secure process and in real time. We keep no record of the key pairs after they have been deployed into your personal data store.
DNSSEC enabled
In addition to the encryption and assurances offered by TLS for HTTPS requests, Mydex endpoints are also DNSSEC enabled. If your applications perform DNSSEC validation when resolving Mydex endpoints, this can add additional assurance that a man-in-the-middle attacker is not poisoning the DNS to interfere with or observe your requests.
You are in control
Each personal data store controlled by private key held solely by the individual. The private key enables the individual to approve new connections to their PDS, change the terms of those connections and if they wish remove them.
All data is encrypted during storage and can only be accessed by approved Subscribing organisations and services in line with their approved connection. This controls which data they can access, for what purpose and also what data they can deliver to the PDS or update within it. Each Subscribing organisation and their services must provide their own connection tokens which are unique for each PDS they connect with.
Each PDS owner is responsible for their own private key so no-one can force Mydex to give up control of the PDS. Individuals are truly in control. If an individual forgets their Private Key Mydex cannot recover it. An individual can change your private key at anytime.
Your personal data store is held as a unique self-contained set of files, rather than being stored within a single large database of personal data records. Inside your own encrypted store, each data item is encrypted as well. Mydex provides you with the tools to control what information you store and share; you make all the decisions, Mydex just implements them.
You can disable or delete any one or all of your PDS connections at any time. The minute you do so, those Subscribing organisations can no longer access your personal data. The log files of every action are stored in your PDS so you can see exactly who has accessed what, and when.
Practical protections
No-one likes irritating defaults and people like to work in different ways so, where it won’t compromise security, Mydex allows you to customise the behaviour of your PDS to suit the way you want to use it. After extensive testing, we have also put features, like the time it takes to log-out due to inactivity, under your control.
Sharing with confidence
To give you the confidence that you can share your data securely we verify every Subscribing organisation which connects to Mydex’s platform, each of whom is bound by legal agreement.
Subscribing organisations have to prove who they are before they can offer apps or access or exchange any information beyond e-mail with our members. We do not accept access from unknown locations; everyone is verified and every connection has to be white-listed.