Gray caret graphic pointing left
This is some text inside of a div block.
Data Privacy & Security

Data privacy
 and security

Dedoose is designed and maintained to ensure we meet the requirements of institutional and governmental human subject protections and other standards for qualitative research data in higher education. We are committed to employing the most current technologies, systems, policies, and practices to ensure your data are safe.

Closeup image of a person typing on a laptop keyboard
Long white arrow pointing downward
Closeup image of a person typing on a laptop keyboard

Data privacy
 and security

Dedoose is designed and maintained to ensure we meet the requirements of institutional and governmental human subject protections and other standards for qualitative research data in higher education. We are committed to employing the most current technologies, systems, policies, and practices to ensure your data are safe.

Closeup image of a person typing on a laptop keyboard
Long white arrow pointing downward
Illustration of a shield with a lock on top

Dedoose platform security

Dedoose was designed from the ground up knowing that security would need to be the foundational factor to build and provide access to a trusted academic cloud-based research platform.

Prioritizing Data Privacy

Dedoose employs a set of encryption, storage, and access strategies to protect data privacy during all phases of project data movement to and from the client to Dedoose systems and all stops along the way. All data are encrypted in transit and at rest.

Continuous Improvements

Cloud service technologies and security regulations are constantly evolving, and our team works continuously to ensure the Dedoose platform remains current with these changing requirements.

Security & compliance

Dedoose systems are built and maintained to meet or exceed all international certifications for research data handling and protection. Below are various standards that Dedoose and our cloud-provider Azure have secured.

Certified ISO badge
ISO/IEC 27018

International cloud storage standards for protecting personally identifiable information.

ISO 27001 certified badge
ISO 27001

International information security management systems standard.

HIPAA compliant badge
HIPAA

National standard for protecting sensitive patient health information and patient disclosure rights.

FedRAMP badge
FedRamp Moderate

Standards for security and risk-assessment for cloud technologies.

AICPA certified badge
SOC 2

System and organizational control criteria for financial information and organizational cloud service data center security.

SSAE 16 certified badge
SAS 70 Type II / SSAE 16 SOC

Auditing standard criteria for the design and operating effectiveness of service organization controls and process.

EU-US badge
US-EU Data Shield Compliance

Compliance mechanisms for protecting EU data when transferring to and engaging in transatlantic commerce with the United States.

GDPR badge
GDPR

General legal framework for the collecting and processing personal information of individuals living in and outside the European Union.

Data protection and retention

Dedoose is committed to the protection of users’ personal information and their research data. Below are a few of our policies to ensure your safety:

Arrow pointing right on a round teal background

Never selling, sharing, or trading your personal information or data with any 3rd parties, including any AI training services

Arrow pointing right on a round teal background

Explicitly requiring opt in for communications, providing mechanisms for you to be able to view and export your research data, control your personal data, and permanently delete all your data, and all personal information stored in or by Dedoose

Arrow pointing right on a round teal background

Implementing comprehensive industry-standard data security and protection standards such as SOC 2 Type 2

Arrow pointing right on a round teal background

Embracing and meeting all certification requirements for compliance with the EU-US Privacy Shield Framework

Data use, sharing and security

Our ‘Your Data, Your Way’ philosophy means we will never share your project data or personal information with any third-party services or expose your data to any AI models for information gathering or training purposes.

Dedoose does not share any customer information with any 3rd party organization. We respect your rights to your data and do not access or use your data in any way without your explicit permission or justification.

Data centers managed by Microsoft have extensive layers of protection. This includes access approval, at the facility’s perimeter, at the building’s  perimeter, inside the building, and on the datacenter floor. This  layered approach reduces the risk of unauthorized users gaining physical  access to data and the datacenter resources. 

All data communication through Dedoose occurs through a 2-lock system.  Dedoose sets up an AES (Advanced Encryption Standard)-256 CBC (Cipher Block Chaining) Encrypted SSL/TLS (Secure Sockets Layer) tunnel using a premium SSL/TLS-EV certificate. The server then provides the Dedoose client with a one way write key using RSA encryption.

Illustration of a data server surrounded by a lock, a document, a spyware and data folder icons

Data access, storage and retention

By default, Dedoose keeps a backup of all data for restoration purposes for a period of 2 years. This data backup is encrypted using AES256. A user can delete their project from Dedoose at any time and we can remove that data permanently from our backups by a certified written request to support@dedoose.com.

Illustration depicting the concept of user permissions
Data Access Security

Dedoose includes an account workspace and project security workspace for managing per user data access. This includes the ability for an account’s admin to manage users, enable and disable users, and define users, groups, and permissions at a granular per-project level. This security is enforced both on the client-side and the server-side.

Illustration of data server
Data Storage Security

Dedoose is hosted on Microsoft’s Azure US servers with all project data backed-up in-full on a nightly basis, encrypted using AES-256 processes, and transferred automatically to redundant storage volumes. One volume is on-site, the other two are off-site and replicated across geographic regions. All project file data are  encrypted and stored in a Microsoft Azure fault tolerant storage volume. For added safety, this storage volume is encrypted and mirrored in real time to an Amazon S3 storage volume in the same geographic region.

Illustration of a desktop machine with a document and IO data markings on top
Data Retention

By default, Dedoose keeps a backup of  all data for restoration purposes for a period of 2 years. This data backup is encrypted using AES256. A user can delete their project from at any time and we can remove that data permanently from our  backups by a certified written request if needed. To ensure these processes are working as designed, an automated program runs weekly, which includes: downloading the most recent backups from each storage volume, verification that the backup is the correct version, a full test restoration of the database to assure data integrity, and email reporting of all backup and restoration process results to key members of the Dedoose Admin team.

Illustration depicting the concept of user permissions
Data Access Security

Dedoose includes an  account workspace and project security workspace for managing per user data access. This includes the ability for an account’s administration  to manage users, enable, disable users, reset user passwords, and define users, groups, and permissions at a granular per-project level. This  security is enforced both on the client-side and the server-side.

Illustration of data server
Data Storage Security

Dedoose is hosted on Microsoft’s Azure US servers with all project  data backed-up in-full on a nightly basis, encrypted using AES-256 processes, and transferred automatically to redundant storage volumes.  One volume is on-site, the other two are off-site and replicated across geographic regions. All project file data are  encrypted and stored in a Microsoft Azure fault tolerant storage volume.  For added safety, this storage volume is encrypted and mirrored in  real-time to an Amazon S3 storage volume in the same geographic region.

Illustration of a desktop machine with a document and IO data markings on top
Data Retention

By default, Dedoose keeps a backup of  all data for restoration purposes for a period of 2 years. This data backup is encrypted using AES256. A user can delete their project from at any time and we can remove that data permanently from our  backups by a certified written request if needed. To ensure these processes are working as designed, an automated program runs weekly, which includes: downloading the most recent backups from each storage volume, verification that the backup is the correct version, a full test restoration of the database to assure data integrity, and email reporting of all backup and restoration process results to key members of the Dedoose Admin team.

Audit policy

Dedoose undergoes a variety of security and compliance related audits on the following schedules

Red stopwatch icon with lightening bolt in the middle
Real-Time
Automated access and log audits; Performance and exception auditing
Gray shield icon with arrows circling around the top and bottom
Monthly
Automated vulnerability and penetration testing audits; Manual internal vulnerability and configuration audits
Teal calendar icon
Annually
3rd party red-team penetration testing audit performed by Leviathan Security Group

Data breach notification and 
incident response plan

Dedoose undergoes a variety of security and compliance related audits on the following schedules.

Illustration of an alert notification atop a laptop
Illustration of an alert notification atop a laptop
Scope Assessment

Upon the detection of any breach in data security, Dedoose technical staff, led by the Dedoose Chief Technical Officer, will immediately assess the size, scope, and severity of the breach.

Project Administrator Notification

All administrators of projects that may have been involved are then notified with the response plan.

Proactive Breach Fortification

Depending on the nature and cause of the breach, Dedoose will take appropriate action to prevent any future breach and then, to the extent reasonably practicable, restore the integrity of all affected project data.

Dedoose hosts all data within the continental U.S. Further details about this notification and response plan will be provided upon request.