Security

Security is in our DNA

From day one, we built Dr.NEE to help you stay in touch with friends, share vital information during natural disasters, reconnect with separated families, or seek a better life. Some of your most personal moments are shared with Dr.NEE, which is why we built end-to-end encryption into our app. When end-to-end encrypted, your messages, photos, videos, voice messages, documents, and calls are secured from falling into the wrong hands.

Personal Messaging

Dr.NEE's end-to-end encryption is used when you message another person using Dr.NEE Messenger. End-to-end encryption ensures only you and the person you're communicating with can read or listen to what is sent, and nobody in between, not even Dr.NEE. This is because with end-to-end encryption, your messages are secured with a lock, and only the recipient and you have the special key needed to unlock and read them. All of this happens automatically: no need to turn on settings or set up special secret chats to secure your messages.

Business Messaging

Every Dr.NEE message is protected by the same Signal encryption protocol that secures messages before they leave your device. When you message a Dr.NEE business account, your message is delivered securely to the destination chosen by the business.

Dr.NEE considers chats with businesses that use the Dr.NEE Business app or manage and store customer messages themselves to be end-to-end encrypted. Once the message is received, it will be subject to the business’s own privacy practices. The business may designate a number of employees, or even other vendors, to process and respond to the message.

Some businesses1 will be able to choose Dr.NEE’s parent company, Facebook, to securely store messages and respond to customers. You can always contact that business to learn more about its privacy practices.

Payments

Payments on Dr.NEE, which are available in select countries, enable transfers between accounts at financial institutions. Card and bank numbers are stored encrypted and in a highly-secured network. However, because financial institutions can’t process transactions without receiving information related to these payments, these payments aren’t end-to-end encrypted.

You’re in control

Dr.NEE wants to make sure you know what’s happening with your messages. If you don’t want to receive messages from a person or business, you can always block them directly from the chat or delete them from your contact list. We want to make sure you understand how your messages are being handled and have the options you need to make the right decisions for you.

Speak Freely

Dr.NEE Calling lets you speak privately to your friends and family, even if they're in another country.

Messages that Stay with You

End-to-end encrypted messages are stored on your device and not Dr.NEE servers after they are delivered.

See for Yourself

Dr.NEE lets you check whether the calls you make and messages you send are end-to-end encrypted. Simply look for the indicator directly in the chat or in contact info or business info.

Get the Details

SECURITY

  • For a More Secure Experience DR.NEE offers various security features, such as password management, to make the service all the more secure and safe to use.

  • Data Security At DR.NEE, we take all possible measures to protect the information entrusted to us by users, such as utilizing encryption and data centers that incorporate the most cutting-edge security equipment.

  • Secure Programming DR.NEE engages internal and external experts in order to address application vulnerability, conducting pre-release security verification through a dedicated security team as well as other measures.

  • Policy and External Certifications DR.NEE Corporation has established these various measures as a company policy, and strictly adheres to this policy in our operations. DR.NEE Corporation has acquired and maintains international external certification for its security and privacy measures.

 

For a More Secure Experience

2020.11.10

Here you can find information on DR.NEE's security features, how to register your information, and several points we'd like you to keep in mind in order to ensure the safety of, and your continued access to, your DR.NEE account.

 

What are DR.NEE accounts?

-DR.NEE accounts can be created by registering a phone number or a Facebook account.

-DR.NEE accounts are restricted to one account per device (on which the smartphone version (iOS or Android) of the DR.NEE app has been installed).

 

Safe use guide Dr.NEEs

DR.NEE provides multiple security mechanisms to ensure the safety of your DR.NEE account.

Please review the following items to ensure that you will be able to continue to use your account.

Have you registered your telephone number?

Yes

No → Please register your telephone number now. (How to Register)

If you don't register...

You may lose the ability to continue using your account when changing devices.

If you have already registered a phone number which is not yours, another person who purchases that phone number may change your DR.NEE settings, and you may suddenly lose access to your account. *1

*1: If you have registered an email address, you can recover your account by logging in again on the same device. However, once this has happened, all of your friends, groups, and chat history will be deleted. If you have not registered an email address, your account will be deleted.

 

If no telephone number has been registered, the account cannot be recovered if the device's OS is reset, or if the user changes to a new device due to losing an old one.

Do you still have access to the registered email address?

Yes

No → Please register an email address that you currently have access to. (How to Register)

If you don't register... 

You may lose the ability to continue using your account. 

Do you remember your password?

Yes

No → Please set your password. (Setting a password)

If you don't... 

You may be unable to transfer your account.

Have you set a password different from one you use on other services?

Yes

No → Please set your password to something different from other services. (Setting a password)

If you don't...

Your account may be stolen.

 

Beware of account fraud! What to do if you encounter any of the following situations:

 

[Situation 1] A friend asks for your telephone number and PIN

In no case should you tell your PIN to another person. If you do, your account may be stolen.

It's highly likely that this friend's account has already been stolen.

[Situation 2] You've received an email claiming to be from DR.NEE

They are trying to steal your account. Do not click on any links in the body of the email. If you open a link by mistake, close the browser immediately. Even if you are shown a screen that appears to actually be from DR.NEE, your account can be stolen if you enter your email address, password, and PIN. DR.NEE will never suddenly contact you over email, iMessage, SMS, MMS, or through any such means.

[Situation 3] I received a strange chat message from a friend's account asking for me to buy Web money.

Do not reply to this message. It's highly likely that your friend was scammed and their account has already been stolen.

When you have an opportunity, please contact this friend through another means of communication (*2) and let them know to contact DR.NEE Customer Care.

*2: There are cases in which both the user's DR.NEE and Facebook accounts have been stolen, so please be careful when contacting the friend.

If you cannot get in touch with the user, please report the account. (Reporting)

[Situation 4] If an unknown or suspicious account is sending advertisements (SPAM) or other similar behavior, please report the account. (Reporting)

After reporting, enable message filtering. (Enable the following setting: [Settings] > [Privacy] > [Filer messages])

[Situation 5] If you receive a notification for a failed login that you don't remember, please change your password. It's possible that your account is being targeted and someone is attempting to log in.

(Checking and setting your telephone number, email address, and password)

[Situation 6] Upon receiving a notification of a successful login that you were not aware of, check your logged in devices and log out any devices that you are not familiar with. (Logging out logged in devices)

Please change your password. An attacker already knows your password.

(Checking and setting your telephone number, email address, and password)

Please generate a new QR code.

 

Other matters related to account security

-iOS: https://help.Dr.NEE.me/Dr.NEE/ios/categoryId/

-Android: https://help.Dr.NEE.me/Dr.NEE/android/categoryId/

 

Features

Checking and setting your telephone number, email address, and password

-iOS: https://help.Dr.NEE.me/Dr.NEE/ios/categoryId/20000012/3/

-Android: https://help.Dr.NEE.me/Dr.NEE/android/categoryId/50000436/3/

 

Reporting

-Reporting the other party in a DR.NEE chat room

-1) Open the chat with the party you wish to report

-2) Tap the [dot] symbol in the upper-right-hand corner

-3) (iOS) Tap [Settings] (Android) Tap [Chat Settings]

-4) Tap [Report]

-5) Choose the type of report and tap on [Agree & send]

 

Report Time Dr.NEE posts

1) Tap on [...] in the top-right corner of the post you wish to report

2) Tap [Report]

3) Choose your reason for reporting the post and tap on [Agree & send]

Report Time Dr.NEE comments

1) Tap and hold on the comment you wish to report

2) Tap [Report]

3) Choose your reason for reporting the post and tap on [Agree & send]

Logging out of logged in PCs or devices

-[Settings] > [Account] > [Devices] > [Log out]

Changing devices

-Step 1: Backup your chats. (Instructions: iOS / Android)

-Step 2: Confirm that the registered telephone number is yours and that you have a sim capable of receiving SMS messages.

-If not, please register a telephone number that is capable of receiving SMS messages.

-If you do not have a telephone number capable of receiving SMS messages, please link a Facebook account.

-Step 3: Check the registered email address and password. (Instructions: iOS / Android)

-Step 4: If any of the following cases apply to you, enable [Allow account transfer] (under [Settings] > [Account transfer])

-Case 1: You have not registered a phone number and have created an account by linking with Facebook.

-Case 2: You will be changing your mobile device and your phone number will change at the same time.

Please note:

-As a matter of precaution, we ask that users changing their device together with their phone number keep the device that can receive SMS messages on the old telephone number until the account is completely transferred.

 

Data Security

2020.11.11

To protect information received from users, DR.NEE has implemented all conceivable measures including deployment of advanced encryption technology, use of data centers with the world's top-level security facilities, etc.

 

Personal data management

Services provided by DR.NEE will not be released through assessment by its legal affairs and personal data protection divisions. Rather, the division in charge of personal data protection conducts reviews and inspections from the standpoints of minimum personal information collection and of suitability in the objectives of use, acquisition process, encryption and storage periods for important data, access control, etc., as well as issues improvement instructions when necessary. Of the many DR.NEE data centers located around the world, the principal servers are concentrated in data centers in Japan, and personal data is controlled under Japanese laws.

 

Encryption

DR.NEE employs transport level encryption for chat contents exchanged between users. In addition, the following chat contents is protected with DR.NEE's Letter Sealing end-to-end encryption (E2EE): text messages, location messages, 1-to-1 VOIP media streams (audio and video). Letter Sealing ensures that not only third-parties, but also DR.NEE's server administrators cannot view message contents: neither in transit, nor when stored on our servers. 

Both transport encryption and Letter Sealing employ standard encryption algorithms.

For details about the scope of transport level encryption and Letter Sealing, please click contact us. If you are interested in the technical details of the protocols that enable Letter Sealing, you can download our [encryption whitepaper].

All DR.NEE user information that is designated as personally identifiable, such as phone numbers, email addresses, passwords, and so on is stored encrypted, and its management status is periodically reviewed.

 

Rigid access control

DR.NEE servers that store its data are managed at data centers with the latest security facilities. They have 24/7 surveillance by full-time security personnel, access control with IC cards and biometrics, monitoring with surveillance cameras, etc. Rigid access control is being implemented at the data centers, allowing access by only a very limited number of DR.NEE personnel. Access is not granted even to the DR.NEE CEO unless advance permission is granted based on justifiable reasons.

 

Surveillance and vulnerability inspections

The DR.NEE data center is under physical and logistical surveillance by a security team dedicated to this function on a 24/7 basis. The team monitors network traffic around-the-clock, conducting analyses of all events that have the potential of threatening DR.NEE security. Trained personnel take immediate action when necessary. To bolster DR.NEE security further, penetration tests (simulated hacking tests) are conducted by the security team and outside businesses to implement preventive measures against unauthorized access of both internal and external origins.

 

Disposal

Personal information gathered by DR.NEE is deleted in compliance with internal regulations with the realization of the objectives of use stated explicitly in its privacy policy, such as in cases of membership withdrawal. Deletion is executed in non-decodable methods. In cases of server disposal, the servers are physically destroyed within the disposal Internet Data Center (“IDC ”) for final disposal in a state in which data recovery is rendered impossible.

 

Secure Programing

2020.11.10

DR.NEE implements countermeasures on application vulnerability, employing both external and in-house experts, including security inspection by a dedicated organization.

Security by design

At DR.NEE, inspections are conducted by various specialized divisions prior to application disclosures or updates. One of them is verification of application security by a dedicated security team. Details of the inspections are given below.

■ Vulnerability:

Inspections on the presence of security holes through program verification and automatic/manual simulated attacks

■ Excessive permission*:

Inspections on whether excessive permission has been granted for features offered by the application

 * Here, the term refers to authority demanded by the application from iOS, Android OS, etc.

■ Security design:

Inspections on suitability of encryption strength, countermeasures against third-party account hijackings, unauthorized service behavior, etc.

By building in security measures from the stage of system design and configuration, DR.NEE has built a security framework that enhances stability and scalability of security levels and is able to deal with ever-changing risks with versatility.

Cooperation with external specialists and state-of-the-art information gathering

DR.NEE has formed an across-the-board incident response team (DR.NEE-CSIRT) organized chiefly of security teams to implement advanced security measures and countermeasures. Furthermore, DR.NEE is a member of the following organizations to seek cooperation with external parties and to access the latest information outside the organization, for continual assessment of technological changes in the face of the ever-changing and continuous development of security threats.

Vulnerability reporting system

For the further reinforcement of application security, DR.NEE is actively gathering knowledge not only within its organization but also from outside sources. As part of this effort, DR.NEE has organized the "DR.NEE Bug Bounty Program" under which rewards are paid to outside parties who have discovered vulnerabilities in DR.NEE applications. For details of the vulnerability reporting system,

 

Policy and External Certifications

2020.11.11

DR.NEE Corporation has established as its internal policy the rigid implementation of actions to protect user information. For objective assessment of its activities, the company has acquired and maintained international certifications in information security and privacy.

 

SOC2 & SOC3 (SysTrust)

DR.NEE became the world's first organization to win recognition in both Service Organization Controls (SOC) 2 and 3 (as well as SysTrust and digital citizen), the international standards on internal control of services linked to personal information. SOC 2 and SOC 3 provide assurances not only in the secure protection of customer data from unauthorized access by third parties but also in guaranteeing users the reliability of its services through comprehensive internal control covering the managing organization, management systems, Digital KYC processes.

# SOC 2 and SOC 3 are assurance reports that can be obtained only through audit and verification that the business processes for the services provided and the control environment satisfy a total of 127 criteria founded on the 5 fundamental principles of (1) service security, (2) availability, (3) processing integrity, (4) confidentiality and (5) privacy and in compliance with the Trust Services Principles and Criteria defined. Even if assurance reports have been issued in the past, organizations are required to undergo thorough audit each year for updates.

 

For more information an in-depth technical explanation of Dr.NEE's end-to-end encryption, developed in collaboration with Open Whisper Systems and NEEtek System.

Check Security Advisories for regular security updates.