Dedoose has not at the time as of this update provided any agency with any customer data for any reason at any time. If someone at an agency has made a legal request for customer data, we promise to use every action available to obscure, and delay this request and use all legal avenues available to reject and inform the affected user(s) of said request.
Dedoose sets up an AES (Advanced Encryption Standard)-256 CBC (Cipher Block Chaining) Encrypted SSL/TLS (Secure Sockets Layer) tunnel using a premium SSL/TLS-EV certificate. All communication following this channel is encrypted. The user is not prompted for login information until this communication channel is established. The server then provides the Dedoose client with a one way write key using RSA encryption.
The Dedoose client then applies a per user salt hashing algorithm (SHA-256) and encrypts this result with the one-way write key, RSA, to verify the user password. This means Dedoose does not store user passwords. Rather, the system stores the known result of this algorithm against the username and password and then compares that result to the result the Dedoose client sends to the server for authentication, and prevents both man in the middle attacks, as well as brute force password attacks, and, in the event our database is compromised, user passwords will not be revealed. This login system follows the security industry’s best practices and has been verified by Leviathan Security Group.
Dedoose is designed and maintained to ensure we meet the requirements of institutional and governmental human subject protections and other standards for qualitative research data in higher education. We are committed to employing the most current technologies, systems, policies, and practices to ensure your data are safe.
Dedoose was designed from the ground up knowing that security would need to be the foundational factor to build and provide access to a trusted academic cloud-based research platform.
Dedoose employs a set of encryption, storage, and access strategies to protect data privacy during all phases of project data movement to and from the client to Dedoose systems and all stops along the way. All data are encrypted in transit and at rest.
Cloud service technologies and security regulations are constantly evolving, and our team works continuously to ensure the Dedoose platform remains current with these changing requirements.
Dedoose systems are built and maintained to meet or exceed all international certifications for research data handling and protection. Below are various standards that Dedoose and our cloud-provider Azure have secured.
International cloud storage standards for protecting personally identifiable information.
International information security management systems standard.
National standard for protecting sensitive patient health information and patient disclosure rights.
Standards for security and risk-assessment for cloud technologies.
System and organizational control criteria for financial information and organizational cloud service data center security.
Auditing standard criteria for the design and operating effectiveness of service organization controls and process.
Compliance mechanisms for protecting EU data when transferring to and engaging in transatlantic commerce with the United States.
General legal framework for the collecting and processing personal information of individuals living in and outside the European Union.
Dedoose is committed to the protection of users’ personal information and their research data. Below are a few of our policies to ensure your safety:
Never selling, sharing, or trading your personal information or data with any 3rd parties, including any AI training services
Explicitly requiring opt in for communications, providing mechanisms for you to be able to view and export your research data, control your personal data, and permanently delete all your data, and all personal information stored in or by Dedoose
Implementing comprehensive industry-standard data security and protection standards such as SOC 2 Type 2
Embracing and meeting all certification requirements for compliance with the EU-US Privacy Shield Framework
Our ‘Your Data, Your Way’ philosophy means we will never share your project data or personal information with any third-party services or expose your data to any AI models for information gathering or training purposes.
By default, Dedoose keeps a backup of all data for restoration purposes for a period of 2 years. This data backup is encrypted using AES256. A user can delete their project from Dedoose at any time and we can remove that data permanently from our backups by a certified written request to support@dedoose.com.
Dedoose undergoes a variety of security and compliance related audits on the following schedules
Dedoose undergoes a variety of security and compliance related audits on the following schedules.
Upon the detection of any breach in data security, Dedoose technical staff, led by the Dedoose Chief Technical Officer, will immediately assess the size, scope, and severity of the breach.
All administrators of projects that may have been involved are then notified with the response plan.
Depending on the nature and cause of the breach, Dedoose will take appropriate action to prevent any future breach and then, to the extent reasonably practicable, restore the integrity of all affected project data.
Dedoose hosts all data within the continental U.S. Further details about this notification and response plan will be provided upon request.