Data Security

🔐 Security Overview

Dictionary is built on a foundation of security-first engineering. We employ industry-leading practices to protect your data at every layer — from network infrastructure to application code, from data at rest to data in transit.

Our security program is continuously evaluated and improved through regular penetration testing, vulnerability assessments, code reviews, and compliance audits by independent third parties.

🛡️ Zero Trust Architecture

Every access request is authenticated, authorized, and encrypted. No implicit trust based on network location.

🔑 End-to-End Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). Keys are managed via HSM-backed KMS.

📊 24/7 Monitoring

Continuous threat detection with SOC-level monitoring, automated alerting, and real-time anomaly detection.

✅ Regular Audits

Annual SOC 2 Type II, ISO 27001 certification, quarterly penetration tests, and ongoing vulnerability scanning.

ℹ️

This document is updated quarterly. For the latest security information, contact our security team or visit our Trust Center.

🔒 Encryption Standards

We implement multiple layers of encryption to protect your data against unauthorized access. All encryption follows NIST-recommended algorithms and key management practices.

Encryption Protocols

Data Type	Protocol	Key Management	Status
Data in Transit	TLS 1.3	Auto-rotated certs	✓ Enforced
Data at Rest	AES-256-GCM	AWS KMS + HSM	✓ Enforced
Database Encryption	AES-256	Customer-managed keys	✓ Available
API Communication	mTLS 1.3	Certificate rotation	✓ Enforced
Backup Encryption	AES-256	Separate key ring	✓ Enforced
Token Storage	bcrypt / Argon2	Per-user salt	✓ Enforced

Key Management

All encryption keys are managed through AWS Key Management Service (KMS) with Hardware Security Module (HSM) backends. We follow a strict key rotation policy:

✓ Data encryption keys (DEKs) are rotated every 90 days automatically.
✓ Key encryption keys (KEKs) are rotated annually or upon any security event.
✓ TLS certificates are rotated every 30 days using automated ACME protocol.
✓ API keys support customer-controlled rotation with dual-key transitions.

☁️ Infrastructure Security

Dictionary's infrastructure is hosted across multiple AWS regions with automatic failover. Our architecture follows the principle of least privilege and defense in depth.

Cloud Infrastructure

🌐 Multi-Region Deployment

Services deployed across US-East, US-West, EU-West, and AP-Southeast regions for redundancy and low-latency access.

🔥 Network Firewall

AWS WAF + custom IPS rules block known attack patterns, DDoS mitigation via AWS Shield Advanced.

🔀 Load Balancing

Application Load Balancers with health checks, auto-scaling, and automatic unhealthy instance removal.

📦 Container Security

ECS/Fargate with minimal attack surface. All containers scanned for CVEs before deployment via Trivy.

Network Architecture

Our network is segmented into isolated VPCs with strict security groups and network ACLs. No direct internet access to databases or internal services.

🔒 VPC Isolation: Separate VPCs for production, staging, and CI/CD environments.
🔒 Private Subnets: All databases and internal microservices run in private subnets with no public IPs.
🔒 VPC Peering: Controlled cross-VPC communication via peering with explicit allow-listing.
🔒 NAT Gateways: Outbound traffic from private subnets routes through audited NAT gateways.

👤 Access Controls & Authentication

We implement strict access controls across all systems and applications. Every access decision is logged, monitored, and regularly audited.

User Authentication

🔐 Multi-Factor Authentication

TOTP, WebAuthn/FIDO2, and SMS-based MFA supported. Enforced for all admin and enterprise accounts.

🏢 SSO / SAML 2.0

Enterprise SSO via Okta, Azure AD, or OneLogin. SCIM provisioning for automated user lifecycle management.

🔑 Session Management

Sessions expire after 30 minutes of inactivity. Maximum session lifetime is 24 hours with re-authentication required.

🛡️ Password Policy

Minimum 12 characters, checked against HIBP database. Enforced complexity with adaptive brute-force protection.

Internal Access

Our team follows the principle of least privilege with role-based access control (RBAC):

✓ Just-In-Time Access: Elevation requests require approval and auto-expire after the maintenance window.
✓ Break-Glass Accounts: Emergency access accounts are sealed offline and require dual authorization to use.
✓ Access Reviews: Quarterly reviews of all user permissions with mandatory re-authorization.
✓ Separation of Duties: Development, staging, and production access are strictly separated.

🔄 Data Flow & Processing

Understanding how your data moves through our systems is important. Below is a simplified representation of our data processing pipeline.

👤

User Input

Search / API

→

🛡️

WAF / IPS

Request filtering

→

⚖️

Load Balancer

TLS termination

→

⚙️

App Servers

Processing

→

💾

Encrypted DB

AES-256 at rest

→

📊

Analytics

Anonymized

Data Processing Principles

📋 Data Minimization: We only collect data necessary for providing our services. Search queries are anonymized after processing.
📋 Purpose Limitation: Your data is used solely for the purposes you've consented to. No secondary use without explicit consent.
📋 No Third-Party Selling: We never sell user data. Analytics partners receive only aggregated, anonymized datasets.
📋 Processing in Controlled Regions: EU user data stays in EU regions. US data processed in US regions. Cross-border transfer requires explicit consent.

✅ Compliance & Certifications

Dictionary maintains a comprehensive compliance program that includes internationally recognized certifications and regulatory frameworks.

GDPR

EU General Data Protection Regulation

Compliant

🏛️

SOC 2 Type II

AICPA Trust Services Criteria

Certified

📜

ISO 27001

Information Security Management

Certified

🔰

CCPA / CPRA

California Consumer Privacy Act

Compliant

🏥

HIPAA

Health Insurance Portability Act

BAA Available

🇺🇸

FedRAMP Moderate

Federal Risk & Authorization Program

In Progress

✅

SOC 2 Type II Report available upon request. Our most recent audit was completed in Q4 2024 with zero exceptions. Contact security@dictionary.com to request a copy.

🔎 Data Privacy

Your privacy is paramount. We design our systems with privacy-by-default and provide you with full control over your personal data.

Data We Collect

Data Category	Purpose	Legal Basis	Retention
Account Information	Service delivery	Contract	Account lifetime + 30 days
Search Queries	Service improvement	Legitimate interest	90 days (anonymized)
Usage Analytics	Product optimization	Consent	2 years (aggregated)
Device Information	Security & debugging	Legitimate interest	1 year
Communication Logs	Support & compliance	Contract	7 years

Your Rights

👁️ Right to Access: Request a copy of all personal data we hold about you via your account settings or GDPR request form.
✏️ Right to Rectification: Update or correct your personal information at any time from your profile.
🗑️ Right to Erasure: Request full account deletion and data erasure. Processed within 30 days.
📦 Right to Portability: Export your data in machine-readable JSON or CSV format.
⛔ Right to Object: Opt out of analytics, marketing communications, or data processing for specific purposes.

⏳ Data Retention & Deletion

We only retain your data for as long as necessary to provide our services, comply with legal obligations, and resolve disputes. After the retention period, data is securely deleted.\n

Retention Schedule

Data Type	Retention Period	Deletion Method
User Accounts	30 days after deletion request	Secure erase + key destruction
Search History	90 days	Automated TTL deletion
API Logs	180 days	Log rotation + overwrite
Backup Snapshots	7 days (daily) / 30 days (weekly)	Cryptographic shredding
Support Tickets	2 years after closure	Archive + delete
Financial Records	7 years (legal requirement)	Secure archive → delete

⚠️

Enterprise Note: Custom retention policies are available for Enterprise plans. Contact your account manager to configure data retention aligned with your organization's compliance requirements.

🚨 Incident Response

Despite our best efforts, security incidents can happen. We have a comprehensive incident response plan tested quarterly through tabletop exercises and maintained by our dedicated Security Operations Center.

Incident Response Timeline

T+0 to T+15 min

Detection & Triage

Automated systems detect anomalies. SOC analyst validates and classifies the incident severity level.

T+15 to T+60 min

Containment

Affected systems are isolated. Emergency response team assembled. Initial containment measures applied.

T+1 to T+4 hours

Investigation & Notification

Root cause analysis begins. Affected customers notified within SLA requirements. Regulatory bodies informed if required.

T+4 to T+24 hours

Eradication & Recovery

Vulnerability remediated. Systems restored from clean backups. Service fully operational.

T+7 to T+30 days

Post-Incident Review

Lessons learned documented. Security controls updated. Customer status report published.

Incident Communication

We commit to transparent communication during security incidents:

📧 Customer Notification: Affected customers notified within 24 hours of confirming a data breach affecting their information.
📊 Status Page: Real-time incident updates at status.dictionary.com.
📋 Post-Incident Report: Detailed public report published within 30 days of resolution.

🔍 Audits & Continuous Monitoring

We maintain continuous visibility into our security posture through a combination of automated monitoring, manual reviews, and independent third-party assessments.

Monitoring & Detection

📡 Real-Time Log Aggregation

All logs from application, infrastructure, and network layers aggregated into centralized SIEM (Splunk) with automated correlation rules.

🤖 AI-Powered Threat Detection

Machine learning models detect anomalous behavior patterns across user activity, API calls, and infrastructure metrics.

🌐 Vulnerability Scanning

Daily automated scans of all public-facing endpoints. Dependency scanning on every PR via Snyk.

🧪 Penetration Testing

Quarterly external pen tests by Cobalt / Bishop Fox. Bug bounty program via HackerOne with $50K max payout.

Audit Trail

All administrative actions and data access events are logged with full audit trails:

📝 Immutability: Audit logs are written to write-once storage with cryptographic integrity verification.
📝 Completeness: Every action — login, data access, config change, user creation/deletion — is logged with timestamp, actor, and context.
📝 Accessibility: Enterprise customers can access their audit logs via the admin dashboard or API. Logs retained for 7 years.

👥 Security Team

Our dedicated security team consists of 20+ professionals across application security, infrastructure security, compliance, and threat intelligence. We invest in continuous training and certification.

Team Structure

🧠 CISO

Overall security strategy, governance, and risk management. 15+ years in cybersecurity.

🔬 AppSec Team

Code review, SAST/DAST, secure SDLC integration. CI/CD pipeline security gates.

🛡️ Platform Security

Cloud infrastructure, IAM, network security, container security, and incident response.

📋 Compliance Team

Framework management, audit preparation, policy documentation, and vendor risk assessments.

Training & Awareness

🎓 Security Training: All employees complete security awareness training annually, with additional training for developers and ops teams.
🎓 Phishing Simulations: Monthly simulated phishing campaigns to maintain awareness. Click rate must stay below 5%.
🎓 Certifications: Team members maintain CISSP, OSCP, AWS Security Specialty, and other relevant certifications.

❓ Frequently Asked Questions

Q: Where is my data stored?

Data is stored in AWS regions closest to you: US-East (N. Virginia), EU-West (Ireland), or AP-Southeast (Singapore). You can choose your region during signup.

Q: Can I export my data?

Yes. Go to Settings → Data → Export to download your complete data in JSON or CSV format. Enterprise customers also have API-based export options.

Q: How do I delete my account?

Navigate to Settings → Account → Delete Account. Your data will be permanently deleted within 30 days. Enterprise accounts require admin approval.

Q: Do you share data with third parties?

We never sell your data. We share minimal technical data with hosting providers (AWS) and anonymized usage data with analytics partners. Full details in our Privacy Policy.

Q: How do I report a vulnerability?

Email security@dictionary.com or submit via our HackerOne bug bounty program. We respond within 24 hours and offer rewards for valid reports.

Q: Is my API key secure?

API keys are encrypted at rest and transmitted only over TLS. You can rotate keys at any time. Enterprise plans support IP allow-listing and rate limiting per key.