This document provides best practices for managing user accounts in your Thales Data Protection on Demand tenant.

Administrator Management

We recommend that all DPoD subscriber tenants have a primary administrator and at least one secondary administrator account. Secondary administrators can support primary administrators in managing a subscriber tenant and can support the primary tenant administrator if they require a password or MFA token reset.

For security purposes Thales support is only able to:

• reset primary administrator passwords
• reset all users MFA tokens

Consult the User Management document for detailed instructions on what to do if you lose access to your password or MFA token.

Multifactor Authentication

DPoD implements Multifactor Authentication (MFA) using third-party authenticator (TPA) apps showing a randomly generated and constantly refreshing 6-digit "time-based one time password" (TOTP) to be presented as a second authentication factor when logging into DPoD.

The following is a short list of possible MFA clients. DPoD does not guarantee the security or integrity of any MFA client. You can use any MFA client that supports TOTP. You are not limited to the MFA clients included here:

• Google Authenticator
• Microsoft Authenticator
• Authy
• TypingDNA
• LastPass Authenticator

We recommend you keep a back up of your MFA secrets. Consult the User Management document for detailed instructions on what to do if you lose access to your password or MFA token.

If your TOTP is not accepted when trying to log in to the DPoD, verify that the system time and time zone locale on the device supplying the TOTP is set correctly.

Platform Role Password Policy

Improper password management and implementation imposes risks to the security of Data Protection on Demand tenants and services.

To ensure the security and confidentiality of your DPoD user account the password requirements for a DPoD platform role are:

• Must be a minimum of 10 characters
• Cannot exceed 255 characters

Additionally, as per the National Institutes of Standards and Technology (NIST) guidelines the DPoD role passwords are never truncated.

DPoD accounts are temporarily disabled after 7 consecutive failed password attempts. If your DPoD account is temporarily disabled retry the login at a later time.

To increase password protection, we recommend being aware of and adhering to the following password management practices:

• We recommend using a combination of alphanumeric and special characters in your password to increase resilience to brute force attacks.
• Do not use dictionary words inside of your password.
• Passwords must not be shared with anyone. Your password is to be treated as sensitive, confidential organizational information.
• Passwords must not be inserted into any forms of electronic communication.
• Passwords must not be revealed over the phone to anyone.
• Do not share DPoD passwords with anyone, including administrative assistance, secretaries, managers, co-workers while on vacation, and family members.
• Do not write passwords and store them anywhere in your office. Do not store passwords in a file on a computer system or mobile devices (phone, tablet) without encryption.
• Do not save your password into a web browser, use a password manager.
• Any user suspecting that their password may have been compromised should report the incident to their tenant administrator as soon as possible and change their password.
• The DPoD operations team will never ask you for your login details.

Include listing Platform Communications

DPoD announcements and communications are made over:

• Changelog
• DPoD Status Page
• Email

If you are not receiving emails from DPoD please add the following addresses to your approved senders list:

• noreply@dpondemand.io - account notifications and alerts
• noreply@announcekit-mail.com - Changelog announcements (register at Changelog)
• noreply@statuspage.io - maintenance announcements (register at DPoD Status Page)
• dpondemand@thalesgroup.com - support email address