Core of our business

ISO/IEC 27001  standard for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS), making the implementation of PIMS a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27701 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation (GDPR) compliance.

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. Azure Policy regulatory compliance built-in initiative for PCI DSS maps to PCI DSS compliance domains and controls.

The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations.

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

Dedicated Security Team

The d2o security team operates from North Europe and West Asia. Team members are on call 24/7 and respond immediately to security alerts and incidents.

In addition, our network security relies on Azure services, integration with edge protection networks, and regular audits. Network intelligence technologies continuously monitor and block known malicious traffic and cyberattacks.

Architecture

Moreover, our network architecture is segmented into multiple security zones. Depending on the zone, we apply additional security monitoring and stricter access controls.

Network Vulnerability Scanning

We use advanced vulnerability scanning to quickly detect non-compliant or potentially weak systems. Microsoft Defender for Cloud delivers proactive protection across all workloads. Furthermore, our team performs scans on operating systems, databases, and network devices. Regular Blue- and Red-team exercises validate security controls, and results directly inform new improvements.

Intrusion Detection, Prevention and Incident Event Management

Azure Secure Score continuously evaluates our security posture and highlights opportunities for improvement. In real time, it defends workloads and enables us to stop potential security events before they escalate.

DDoS Mitigation

To further strengthen protection, Azure DDoS Protection Standard offers enhanced defenses against large-scale DDoS attacks.

Logical Access

Access to the d2o Production Network follows the principle of least privilege. Only employees with explicit need-to-know receive access, and all access is audited and monitored by the Operations Team. In addition, multi-factor authentication is mandatory for every user.

Security Incident Response

Finally, when a system alert occurs, it is immediately escalated to our 24/7 Operations, Network Engineering, and Security teams. These teams collaborate to resolve issues quickly and effectively.

All data in transit is protected using HTTPS/TLS (TLS 1.2 or higher) and remains encrypted at rest using AES-256. Azure’s high availability guarantees — along with service clustering, disaster recovery planning, and cross-region data replication — ensure that PMI services remain stable and recoverable.

Uptime

Microsoft Azure guarantees uptime availability of at least 99.06% for their services depending of resource and configuration. Here is a summary of Azure  SLA for each service.

Redundancy

d2o employs service clustering and network redundancies to eliminate single points of failure. Azure Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery

Our Disaster Recovery program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Due to Azures powerful global networking backbone, d2o can replicate and fail over applications to any Azure region around the globe (zone-to-zone disaster recovery, within-continent disaster recovery, and global disaster recovery).

Secure Code Training

d2o provide secure code training for engineers, based on OWASP Top Ten  security risks. d2o also employ Red and Blue team training with regular intervals.

Framework Security Controls

d2o leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance

Our Quality Assurance department reviews and tests our code base. Dedicated personnel test, and triage security vulnerabilities in code.

Triage process should divide all issues identified into three categories: Fix, Acknowledge and Investigate. Vulnerability Management guidance by NCSC

Separate Environments

Test environments is logically separated from the Production environment.

Dedicated Security Team

The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.

Protection

Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture

Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.

Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.

Intrusion Detection, Prevention and Incident Event Management

The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.

DDoS Mitigation

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.

Logical Access

Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.

Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.

Role-Based Access Controls

Access to data within PMI applications is managed through role-based access control (RBAC). Administrators can configure granular permissions to ensure the right people have the right level of access. PMI supports multiple user roles, including owner, admin, agent, and end-user.

Audit Logs

In addition, d2o provides comprehensive audit logs. These logs track account changes, user activity, and system settings. A redacted audit log is available within PMI for each customer, while full production audit logs are maintained within the Azure framework for maximum compliance and traceability.

Redaction

Moreover, d2o employs manual redaction to safeguard sensitive data. This process allows confidential information to be removed or anonymized, protecting user privacy. When enabled, redaction anonymizes usernames and activities across logs and database entries. This feature supports GDPR compliance and ensures historic data is also securely managed.

Background Checks

As part of our commitment to security, d2o conducts background checks on all new employees in compliance with local laws. These checks also apply to contractors. Specifically, the process includes criminal record screening, education verification, and employment history verification.

Confidentiality Agreements

In addition, all new hires must sign Non-Disclosure and Confidentiality Agreements. These agreements ensure that sensitive information remains protected from day one.

In addition, as you browse d2o’s websites, information may be collected through commonly used tools like cookies. These help improve functionality and enhance the user experience.

Furthermore, when you register for or attend corporate events, d2o requests essential contact details along with information related to your participation through its websites.

PMI Solution Integration (Client Specific Source Data)

The Company may, on Clients request, collect Source System Data from Clients or Client specific Integration Partners or Systems. Source System Integration may be with systems such as:

• • Points of Sale (POS)
  • F&B Reservation Systems (FRS)
  • Table Reservation System (TRS)
  • Time Keeping/Management System (TKS/TMS)
  • Property Management System (PMS)
  • Revenue Management System (RMS)
  • Sales & Catering Management System (S&C)
  • Accounting Management System (AMS)

Source data integration is important for Clients in order for specific PMI products and Services to work optimally. Source data is encrypted after import when stored for backup.

PMI Account

The Company directly collects information when you are:

• • enrolled as a PMI user (name, username, email address, title and employee number)
  • actively editing and submitting information within your specific PMI portal
  • submit a support request

The way to have an account removed is to send an email to support@d2o.com with the username and/or email address of the user(s) you would like to be removed. d2o will only honor account removal requests from known contacts at client organisations. If the removal, due to database dependencies, is not possible the username in question will be else anonymized.

We use both session-based and persistent cookies:
• Session cookies exist only during your visit. They disappear when you close your browser or turn off your device.
• Persistent cookies remain even after you close your browser. These help us remember your preferences across visits.

Keep in mind: If you disable cookies in your browser, you can still navigate the site, but some services may not function as intended.

Essential Cookies

Also called “strictly necessary” cookies, these enable core site functions. For example, they remember your preferences as you move between pages, ensuring you can use key features smoothly.

Analytics Cookies

These cookies track visits and user behavior so we can improve content, measure performance, and test new features. For example, they capture how long visitors stay, which pages they view, and which site referred them.

Functionality or Preference Cookies

These remember choices you make—such as username, language, or region. They personalize your experience, so you don’t need to reset preferences every time you return.

IP Addresses and Social Media Features

Our websites include third-party social media features (e.g., the Facebook “Like” button) and widgets such as “Share This.” These may collect your IP address, note which page you are visiting, and set a cookie to enable proper function. Your interaction with these tools is governed by the third party’s privacy policy.

Importantly, this privacy statement applies at all times—even when d2o transfers client or attendee data across borders.

However, we remain committed to protecting the integrity of our website. We also welcome your feedback if you encounter concerns about these third-party sites.

d2o complies with GDPR and EDPB recommendations:

• d2o does not move data outside EU
• Encryption of personal data which technically prevent all d2o processors outside EEA to identify natural persons (be it on screen, print screen or otherwise)
• The privileges are managed by authorized personnel based within EEA

Service Providers

d2o may share client and attendee data with contracted service providers so they can deliver services on our behalf. However, unless stated in this Privacy Statement, we do not sell, rent, or trade personal information with third parties for promotional purposes.

Affiliates

We may also share client data within the d2o corporate group. For example, this helps us with customer relationship management and support.

Business Partners

From time to time, d2o partners with other companies to jointly offer products or services. If you purchase—or show interest in—a jointly offered service, we may share relevant client data with our promotion partners. However, these partners follow their own privacy policies. If you prefer not to share your information, simply choose not to purchase or express interest in these joint offerings.

Third Parties

This Privacy Statement explains the information we collect through our websites and what we may share with third parties. Importantly, d2o does not authorize third parties to collect personal information through advertising technologies on our sites. Likewise, we do not share such information with outside parties, except as outlined here.

Compelled Disclosure

Finally, we may use or disclose information if required by law. We may also do so if we reasonably believe it is necessary to protect d2o’s rights or to comply with a judicial proceeding, court order, or other legal process.