Core of our business
d2o uses enterprise class security features to ensure that your data is always protected.
We continually monitor, update, and improve our safeguards so you can focus on growth with complete peace of mind.






Compliance Certifications
SOC 2 Type 2
A SOC 2 Type 2 attestation is performed under:
- SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
- SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide).
- TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).
ISO 27001:2013
ISO/IEC 27001 standard for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS), making the implementation of PIMS a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27701 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation (GDPR) compliance.
PCI DSS 3.2.1
The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. Azure Policy regulatory compliance built-in initiative for PCI DSS maps to PCI DSS compliance domains and controls.
NIST SP 800 171 R2
The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations.
Azure Security Benchmark
The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).
Cloud Security
Data center physical security
Moreover, Azure’s globally dispersed data centers comply with strict industry standards such as ISO/IEC 27001:2013 and NIST SP 800-53. In addition, Azure offers more than 90 compliance certifications, giving PMI customers one of the most comprehensive compliance coverages available from any cloud service provider.
Vendor security
Network security
Dedicated Security Team
The d2o security team operates from North Europe and West Asia. Team members are on call 24/7 and respond immediately to security alerts and incidents.
In addition, our network security relies on Azure services, integration with edge protection networks, and regular audits. Network intelligence technologies continuously monitor and block known malicious traffic and cyberattacks.
Architecture
Moreover, our network architecture is segmented into multiple security zones. Depending on the zone, we apply additional security monitoring and stricter access controls.
Network Vulnerability Scanning
We use advanced vulnerability scanning to quickly detect non-compliant or potentially weak systems. Microsoft Defender for Cloud delivers proactive protection across all workloads. Furthermore, our team performs scans on operating systems, databases, and network devices. Regular Blue- and Red-team exercises validate security controls, and results directly inform new improvements.
Intrusion Detection, Prevention and Incident Event Management
Azure Secure Score continuously evaluates our security posture and highlights opportunities for improvement. In real time, it defends workloads and enables us to stop potential security events before they escalate.
DDoS Mitigation
To further strengthen protection, Azure DDoS Protection Standard offers enhanced defenses against large-scale DDoS attacks.
Logical Access
Access to the d2o Production Network follows the principle of least privilege. Only employees with explicit need-to-know receive access, and all access is audited and monitored by the Operations Team. In addition, multi-factor authentication is mandatory for every user.
Security Incident Response
Finally, when a system alert occurs, it is immediately escalated to our 24/7 Operations, Network Engineering, and Security teams. These teams collaborate to resolve issues quickly and effectively.
Encryption
All data in transit is protected using HTTPS/TLS (TLS 1.2 or higher) and remains encrypted at rest using AES-256. Azure’s high availability guarantees — along with service clustering, disaster recovery planning, and cross-region data replication — ensure that PMI services remain stable and recoverable.
Availability and continuity
Uptime
Microsoft Azure guarantees uptime availability of at least 99.06% for their services depending of resource and configuration. Here is a summary of Azure SLA for each service.
Redundancy
d2o employs service clustering and network redundancies to eliminate single points of failure. Azure Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.
Disaster Recovery
Our Disaster Recovery program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.
Due to Azures powerful global networking backbone, d2o can replicate and fail over applications to any Azure region around the globe (zone-to-zone disaster recovery, within-continent disaster recovery, and global disaster recovery).
Application Security
PMI Solution and websites
This Privacy Policy Statement covers the information practices of PMI Solutions, including services such as:
- PMI R&P (Revenue and Productivity)
- PMI P&L (Profit and Loss)
- PMI GoGreen
- PMI Task Manager
- PMI Plus (Extended version of R&P and P&L modules)
- This Privacy Policy Statement covers the information practices of Websites that link to this privacy statement, including domains as:
- *.d2o.biz
- *.d2o.com
- *.d2o.no
Wildcard (*) means that any subdomain is covered on any of the listed domains.
Development security controls
Secure Code Training
d2o provide secure code training for engineers, based on OWASP Top Ten security risks. d2o also employ Red and Blue team training with regular intervals.
Framework Security Controls
d2o leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.
Quality Assurance
Our Quality Assurance department reviews and tests our code base. Dedicated personnel test, and triage security vulnerabilities in code.
Triage process should divide all issues identified into three categories: Fix, Acknowledge and Investigate. Vulnerability Management guidance by NCSC
Separate Environments
Test environments is logically separated from the Production environment.
Vulnerability management
Dedicated Security Team
The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.
Protection
Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.
Architecture
Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.
Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.
Intrusion Detection, Prevention and Incident Event Management
The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.
DDoS Mitigation
Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.
Logical Access
Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.
Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.
Product Security
Authentication security
Authentication Options
d2o offers two secure authentication options. Customers can either enable native PMI authentication or choose Enterprise Single Sign-On (SSO) via Office365. Both methods support end-user and agent authentication.
Password Policy
In addition, our password policy strengthens account protection. Passwords must contain at least 8 characters, including lower case, upper case, a number, and a special character.
2-Factor Authentication (2FA)
Moreover, d2o’s native authentication supports 2-Factor Authentication (2FA) for BRE, agents, and admins. Users can verify via SMS or an authenticator app, adding an extra layer of security.
Service Credential Storage
Finally, d2o follows industry best practices for secure credential storage. Passwords are never stored in human-readable format but only as the result of a secure, salted, one-way hash.
Additional product security feature
Role-Based Access Controls
Access to data within PMI applications is managed through role-based access control (RBAC). Administrators can configure granular permissions to ensure the right people have the right level of access. PMI supports multiple user roles, including owner, admin, agent, and end-user.
Audit Logs
In addition, d2o provides comprehensive audit logs. These logs track account changes, user activity, and system settings. A redacted audit log is available within PMI for each customer, while full production audit logs are maintained within the Azure framework for maximum compliance and traceability.
Redaction
Moreover, d2o employs manual redaction to safeguard sensitive data. This process allows confidential information to be removed or anonymized, protecting user privacy. When enabled, redaction anonymizes usernames and activities across logs and database entries. This feature supports GDPR compliance and ensures historic data is also securely managed.
HR Security
Security awareness
Policies
To strengthen information security, d2o has developed a comprehensive set of policies covering a wide range of topics. These security policies are accessible to all employees and contractors who handle PMI information assets, ensuring consistent standards across the organization.
Training
Furthermore, every employee participates in Security Awareness Training upon hire and again each year. Engineers also complete annual Secure Code Training to stay aligned with best practices. In addition, the Security Team regularly shares updates through emails, blog posts, and internal presentations to reinforce awareness and highlight new threats.
Employee vetting
Background Checks
As part of our commitment to security, d2o conducts background checks on all new employees in compliance with local laws. These checks also apply to contractors. Specifically, the process includes criminal record screening, education verification, and employment history verification.
Confidentiality Agreements
In addition, all new hires must sign Non-Disclosure and Confidentiality Agreements. These agreements ensure that sensitive information remains protected from day one.
Privacy related policies
Development security controls
Framework
To support secure development, d2o uses Azure DevOps, which provides developer services that allow teams to plan work, collaborate on code development, and build and deploy applications.
Quality Assurance
Furthermore, d2o applies strict code deployment controls within the DevOps lifecycle, including Code Review and Staging Deployment. The development team in Eastern Europe (EEU) reviews and approves all code before it is released to Production
Separate environments
In addition, Development and Production environments remain fully separated in different Azure regions, ensuring both geographical and network isolation. Access is strictly role-based (RBAC), while higher-level permissions require two-factor authentication (2FA) and VPN gateways.
What information is collected?
In addition, as you browse d2o’s websites, information may be collected through commonly used tools like cookies. These help improve functionality and enhance the user experience.
Furthermore, when you register for or attend corporate events, d2o requests essential contact details along with information related to your participation through its websites.
PMI Solution Integration (Client Specific Source Data)
The Company may, on Clients request, collect Source System Data from Clients or Client specific Integration Partners or Systems. Source System Integration may be with systems such as:
- Points of Sale (POS)
- F&B Reservation Systems (FRS)
- Table Reservation System (TRS)
- Time Keeping/Management System (TKS/TMS)
- Property Management System (PMS)
- Revenue Management System (RMS)
- Sales & Catering Management System (S&C)
- Accounting Management System (AMS)
Source data integration is important for Clients in order for specific PMI products and Services to work optimally. Source data is encrypted after import when stored for backup.
PMI Account
The Company directly collects information when you are:
- enrolled as a PMI user (name, username, email address, title and employee number)
- actively editing and submitting information within your specific PMI portal
- submit a support request
The way to have an account removed is to send an email to support@d2o.com with the username and/or email address of the user(s) you would like to be removed. d2o will only honor account removal requests from known contacts at client organisations. If the removal, due to database dependencies, is not possible the username in question will be else anonymized.
Web site cookies
We use both session-based and persistent cookies:
• Session cookies exist only during your visit. They disappear when you close your browser or turn off your device.
• Persistent cookies remain even after you close your browser. These help us remember your preferences across visits.
Keep in mind: If you disable cookies in your browser, you can still navigate the site, but some services may not function as intended.
Essential Cookies
Also called “strictly necessary” cookies, these enable core site functions. For example, they remember your preferences as you move between pages, ensuring you can use key features smoothly.
Analytics Cookies
These cookies track visits and user behavior so we can improve content, measure performance, and test new features. For example, they capture how long visitors stay, which pages they view, and which site referred them.
Functionality or Preference Cookies
These remember choices you make—such as username, language, or region. They personalize your experience, so you don’t need to reset preferences every time you return.
IP Addresses and Social Media Features
Our websites include third-party social media features (e.g., the Facebook “Like” button) and widgets such as “Share This.” These may collect your IP address, note which page you are visiting, and set a cookie to enable proper function. Your interaction with these tools is governed by the third party’s privacy policy.
International transfer of information collected
Importantly, this privacy statement applies at all times—even when d2o transfers client or attendee data across borders.
Third party links
However, we remain committed to protecting the integrity of our website. We also welcome your feedback if you encounter concerns about these third-party sites.
GDPR Compliance
Europe General Data Protection Regulation (GDPR)
Our GDPR Commitments
At d2o, we fully embrace the principles of the General Data Protection Regulation (GDPR). Today, we support more than 500 customers and 5,000 end-users in over 10 countries—and growing.
Our service agreement gives customers a license to access and use PMI, delivered as SaaS. In providing this service, customers entrust us with processing non-sensitive personal data submitted and stored by their end-users.
As a SaaS provider, we are committed to offering features that help customers meet their GDPR obligations, including the rights of data subjects (Art. 13–22). If customers cannot fully meet their GDPR duties through PMI alone, they can trust that—whenever legally permitted and commercially reasonable d2o will assist in handling data subject enquiries.
Equally important, we pledge to:
- Apply strong technical and organizational practices so that personal data is always processed securely (Art. 5(1)(f)).
- Demonstrate compliance and take accountability for GDPR-related tasks and responsibilities entrusted to us.
- Uphold the spirit of GDPR by acknowledging that no Data Processing Agreement relieves us, as Processor, of our direct duties and liabilities (Art. 29).
PMI only allows non-sensitive personal data to be processed
PMI only allows the processing of non-sensitive personal data. Customers can process limited information such as:
- First and last name
- Email address
- Job title and employee number
- Payroll cost (encrypted both in motion and at rest)
The categories of data subjects are strictly limited to PMI system end-users and employees.
By focusing on these narrow data categories—and through robust technical and organizational measures—d2o ensures GDPR compliance and strengthens data protection for all customers. For more details about d2o GDPR orientation click here.
Personal data access outside EEA
d2o complies with GDPR and EDPB recommendations:
- d2o does not move data outside EU
- Encryption of personal data which technically prevent all d2o processors outside EEA to identify natural persons (be it on screen, print screen or otherwise)
- The privileges are managed by authorized personnel based within EEA
Legal Information
Agreements
Our agreements and policies provide our customers and partners transparency and detailed information about d2o’s Services, which in turn support our customers in meeting their own legal and compliance standards.
Third party disclosure
Service Providers
d2o may share client and attendee data with contracted service providers so they can deliver services on our behalf. However, unless stated in this Privacy Statement, we do not sell, rent, or trade personal information with third parties for promotional purposes.
Affiliates
We may also share client data within the d2o corporate group. For example, this helps us with customer relationship management and support.
Business Partners
From time to time, d2o partners with other companies to jointly offer products or services. If you purchase—or show interest in—a jointly offered service, we may share relevant client data with our promotion partners. However, these partners follow their own privacy policies. If you prefer not to share your information, simply choose not to purchase or express interest in these joint offerings.
Third Parties
This Privacy Statement explains the information we collect through our websites and what we may share with third parties. Importantly, d2o does not authorize third parties to collect personal information through advertising technologies on our sites. Likewise, we do not share such information with outside parties, except as outlined here.
Compelled Disclosure
Finally, we may use or disclose information if required by law. We may also do so if we reasonably believe it is necessary to protect d2o’s rights or to comply with a judicial proceeding, court order, or other legal process.