Data security and privacy

The privacy of your data and your research is of utmost importance at Delve. We never sell your data to 3rd parties, and the data you bring into Delve is owned by you. We practice “Privacy by Design” to ensure that every feature and product is built with privacy and security in mind and we follow the best practices in the industry. We utilize industry-standard cloud infrastructure with trusted partners.

Here is more information about what we do at Delve to protect your data and privacy.

Data rights and management 

Users Own Their Data

All data is owned by Delve Users, and is never sold to 3rd parties. Users can use tools within Delve to delete data themselves. Users can also request that their account and all data associated with it be entirely deleted. We will not view data unless given permission as part of a support case.

Data is Private by Default

All user-submitted data to Delve is private to the Delve user by default. Data can only be shared to another Delve user if done so by the account owner. 

Data Deletion

Delve users can delete their submitted data at any time using tools within Delve. They can also request that their account and all data associated with it be entirely deleted. Requests need to be made in writing, and sent from the email of the Delve user’s account or from the chat box when logged into the Delve account. Delve user may also be asked to provide information to validate their identity in order for the request to be processed.

Data Breach Policy

We do everything we can to prevent data branches, but acknowledge that no environment can guarantee absolute security. In the unfortunate and unlikely event that there is a data breach, affected users will be informed within 72 hours of us becoming aware of the data breach.

Data Backups

Data in Delve is continuously and automatically backed up to protect against data loss using Heroku Postgresql’s Rollbacks. Backup data is stored for no longer than 14 days.

Security Features

Encrypted in Transit

User-submitted data is encrypted in transit from the browser to servers using TLS encryption. 

Encryption at Rest

All user-submitted data is encrypted at rest by our third-party database subprocessors.

SSL Certificates

SSL certificates are kept up to date and secure using Heroku’s Automated Certificate Management.

OAuth Authentication

We follow best practices with user login information and use modern OAuth authentication.

Trusted 3rd party data processors

We use trusted 3rd party data processors to store user submitted data. These data processors use a variety of measures to keep your data safe including, but not limited to: encryption-at-rest, firewalls with authentication requirements, and TLS for secure communication. We enter into Data Processing Agreements with our third party vendors as well as Standard Contractual Clauses.

Data Hosting and Residency

Delve is headquartered in the U.S. and so are nearly all of our trusted vendors.

Passwords are Salted

Passwords are never stored in plain text, and are salted using BCrypt.

Password Reset

Delve follows best practices to provide a secure way to reset passwords.

Password Requirements

Delve enforces password complexity requirements.

Detecting intrusions or attacks

We use third party monitoring and logging solutions in order to detect intrusions or attacks and provide alerts to the engineering team for incidence response.

Log sanitization

We sanitize our logs so that no user submitted data can be viewed in the logs

Payment security

Payment and billing information is processed by our third party payment processor, Stripe. You can see Stripe’s compliance information on their security page.

Best practices for product and software 

Software engineering best practices 

We regularly conduct Static Code Analysis and conduct software code reviews before releasing changes to Delve. 

Unit and integration testing 

Delve software code has a high coverage of unit and integration tests.

Rigorous quality assurance

Every change made to Delve goes through a rigorous automated and manual quality assurance process before being deployed to the app.

Tracking and resolving bugs and errors

We use third party monitoring and logging solutions to track and resolve bugs and errors. 

Ensuring the response time of Delve

We use third party monitoring and logging solutions to ensure a high response time within Delve.

Twelve-factor app methodology

Delve follows the 12-factor app policy which enables Delve to be built with portability and resilience.

Application Environments

Delve has different environments for development, staging, and production. And use the environment variable to configure those apps. The hosts on a single environment are uniformly configured.

Application monitoring

We have an alerting system that monitors our application. In the case of abnormal activity, the relevant team members are notified electronically. They review the alert and triage it for accuracy and validity. If it is a high level risk, alert is immediately further investigated and patched.

Internal employee policies 

Employee training

All employees complete information security training

Two Factor Authentication

All employees are required to use two factor authentication for critical accounts

Password management systems

All employees are required to use secure password management systems. 

Need to know basis

Information is granted to employees only on a need-to-know basis. Access is revoked when no longer necessary

Risk assessments

Risk is assessed every time there are new machines, substances and procedures, which could lead to new hazards.

Compliance

GDPR 

Delve is committed to GDPR compliance. Our privacy policy outlines how you can make data portability requests, data erasure requests, request copies of your personal data and withdraw consent to process personal data by deleting your Delve account along with all associated personal data.

We have data processing agreements and Standard Contractual Clauses in place with all our vendors and we ensure vendors are obligated only to use personal information for the purposes outlined in our agreements

We have a designated Data Protection Officer to handle all privacy and data collection issues and to ensure GDPR compliance.

CCPA

While Delve is not covered under CCPA and CPRA criteria, we enable Delve users to exercise many of the similar rights that are outlined under the CCPA and CPRA such as a transparent privacy policy with notice, the ability to accommodate data deletion requests and ability for consumers to request access to their personal information.

Privacy Policy

See our full privacy policy here.