d2o Logo

Core of our business

d2o uses enterprise class security features to ensure that your data is always protected.

We continually monitor, update, and improve our safeguards so you can focus on growth with complete peace of mind.

Microsoft Azure
AICPA SOC
ISO 27001

Compliance Certifications

SOC 2 Type 2
To uphold stringent security standards, we audit our production and development environments on a regular basis. In addition, we continuously monitor and manage compliance through Microsoft Azure’s robust infrastructure.

A SOC 2 Type 2 attestation is performed under:

  • SSAE No. 18, Attestation Standards: Clarification and Recodification, which includes AT-C section 105, Concepts Common to All Attestation Engagements, and AT-C section 205, Examination Engagements (AICPA, Professional Standards).
  • SOC 2 Reporting on an Examination of Controls at a Service Organization Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy (AICPA Guide).
  • TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, 2017 Trust Services Criteria).
ISO 27001:2013
Aligned with global best practices, ISO/IEC 27001 helps us establish a strong Information Security Management System (ISMS). Furthermore, ISO/IEC 27701 extends this framework to support GDPR-relevant workflows.

ISO/IEC 27001  standard for information security management. It specifies requirements and provides guidance for a Privacy Information Management System (PIMS), making the implementation of PIMS a helpful compliance extension for the many organizations that rely on ISO/IEC 27001, as well as creating a strong integration point for aligning security and privacy controls. ISO/IEC 27701 accomplishes this integration through a framework for managing personal data that can be used by both data controllers and data processors, a key distinction for General Data Protection Regulation (GDPR) compliance.

PCI DSS 3.2.1
We regularly audit our production and development environments and continuously monitor compliance through Microsoft Azure’s infrastructure.

The Payment Card Industry (PCI) Data Security Standards (DSS) is a global information security standard designed to prevent fraud through increased control of credit card data. Microsoft Azure maintains a PCI DSS validation using an approved Qualified Security Assessor (QSA), and is certified as compliant under PCI DSS version 3.2.1 at Service Provider Level 1. Azure Policy regulatory compliance built-in initiative for PCI DSS maps to PCI DSS compliance domains and controls.

NIST SP 800 171 R2
By integrating Azure’s Security Benchmark and adhering to NIST guidelines, we proactively protect sensitive information and align with industry-standard risk management. This ensures a resilient environment across regulatory landscapes.

The National Institute of Standards and Technology (NIST) SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations provides guidelines for the protection of controlled unclassified information (CUI) in nonfederal information systems and organizations.

Azure Security Benchmark
These rigorous audits and Azure-integrated compliance monitoring further support alignment with Azure’s Security Benchmark best practices.

The Azure Security Benchmark (ASB) provides prescriptive best practices and recommendations to help improve the security of workloads, data, and services on Azure. The Azure Security Benchmark focuses on cloud-centric control areas. These controls are consistent with well-known security benchmarks, such as those described by the Center for Internet Security (CIS) Controls, National Institute of Standards and Technology (NIST), and Payment Card Industry Data Security Standard (PCI-DSS).

Cloud Security

Data center physical security
Our infrastructure relies on Microsoft Azure data centers located in North-Western Europe (Ireland and the Netherlands), the United States, and East Asia. By distributing data across multiple regions and enforcing layered physical access controls, we reduce risks of unauthorized entry and strengthen reliability.

Moreover, Azure’s globally dispersed data centers comply with strict industry standards such as ISO/IEC 27001:2013 and NIST SP 800-53. In addition, Azure offers more than 90 compliance certifications, giving PMI customers one of the most comprehensive compliance coverages available from any cloud service provider.

Vendor security
To minimize risks from third-party vendors, d2o conducts thorough security reviews for every vendor with access to our systems or Service Data. As a result, we ensure that external partners meet strict security requirements and do not compromise data integrity.
Network security

Dedicated Security Team

The d2o security team operates from North Europe and West Asia. Team members are on call 24/7 and respond immediately to security alerts and incidents.

In addition, our network security relies on Azure services, integration with edge protection networks, and regular audits. Network intelligence technologies continuously monitor and block known malicious traffic and cyberattacks.


Architecture

Moreover, our network architecture is segmented into multiple security zones. Depending on the zone, we apply additional security monitoring and stricter access controls.


Network Vulnerability Scanning

We use advanced vulnerability scanning to quickly detect non-compliant or potentially weak systems. Microsoft Defender for Cloud delivers proactive protection across all workloads. Furthermore, our team performs scans on operating systems, databases, and network devices. Regular Blue- and Red-team exercises validate security controls, and results directly inform new improvements.


Intrusion Detection, Prevention and Incident Event Management

Azure Secure Score continuously evaluates our security posture and highlights opportunities for improvement. In real time, it defends workloads and enables us to stop potential security events before they escalate.


DDoS Mitigation

To further strengthen protection, Azure DDoS Protection Standard offers enhanced defenses against large-scale DDoS attacks.


Logical Access

Access to the d2o Production Network follows the principle of least privilege. Only employees with explicit need-to-know receive access, and all access is audited and monitored by the Operations Team. In addition, multi-factor authentication is mandatory for every user.


Security Incident Response

Finally, when a system alert occurs, it is immediately escalated to our 24/7 Operations, Network Engineering, and Security teams. These teams collaborate to resolve issues quickly and effectively.

Encryption

All data in transit is protected using HTTPS/TLS (TLS 1.2 or higher) and remains encrypted at rest using AES-256. Azure’s high availability guarantees — along with service clustering, disaster recovery planning, and cross-region data replication — ensure that PMI services remain stable and recoverable.

Availability and continuity

Uptime

Microsoft Azure guarantees uptime availability of at least 99.06% for their services depending of resource and configuration. Here is a summary of Azure  SLA for each service.


Redundancy

d2o employs service clustering and network redundancies to eliminate single points of failure. Azure Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.


Disaster Recovery

Our Disaster Recovery program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Due to Azures powerful global networking backbone, d2o can replicate and fail over applications to any Azure region around the globe (zone-to-zone disaster recovery, within-continent disaster recovery, and global disaster recovery).

Application Security

PMI Solution and websites

This Privacy Policy Statement covers the information practices of PMI Solutions, including services such as:

  • PMI R&P (Revenue and Productivity)
  • PMI P&L (Profit and Loss)
  • PMI GoGreen
  • PMI Task Manager
  • PMI Plus (Extended version of R&P and P&L modules)
  • This Privacy Policy Statement covers the information practices of Websites that link to this privacy statement, including domains as:
    • *.d2o.biz
    • *.d2o.com
    • *.d2o.no

Wildcard (*) means that any subdomain is covered on any of the listed domains.

Development security controls

Secure Code Training

d2o provide secure code training for engineers, based on OWASP Top Ten  security risks. d2o also employ Red and Blue team training with regular intervals.


Framework Security Controls

d2o leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.


Quality Assurance

Our Quality Assurance department reviews and tests our code base. Dedicated personnel test, and triage security vulnerabilities in code.

Triage process should divide all issues identified into three categories: Fix, Acknowledge and Investigate. Vulnerability Management guidance by NCSC


Separate Environments

Test environments is logically separated from the Production environment.

Vulnerability management

Dedicated Security Team

The d2o security team has members stationed in North Europe and West Asia and is on call 24/7 to respond to security alerts and events.


Protection

Our network is protected through the use of key Azure security services, integration with edge protection networks, regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.


Architecture

Our network security architecture is segmented and consists of multiple security zones. Depending on the zone, additional security monitoring and access controls will apply.


Network Vulnerability Scanning

Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems. Microsoft Defender for Cloud provides advanced threat protection across the workloads in the cloud. Vulnerability scanning is performed on server operating systems, databases, and network devices. Blue and Red-team exercises are also performed and the results are used to make security improvements.


Intrusion Detection, Prevention and Incident Event Management

The secure score within Microsoft Azure continually assesses the security posture and track new security opportunities and efforts. It defends the workloads in real-time and makes it possible to immediately prevent security events from developing.


DDoS Mitigation

Azure DDoS Protection Standard provides enhanced DDoS mitigation features to defend against DDoS attacks.


Logical Access

Access to the d2o Production Network is restricted on an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the d2o Production Network are required to use multiple factors of authentication.


Security Incident Response

In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage.

Product Security

Authentication security

Authentication Options

d2o offers two secure authentication options. Customers can either enable native PMI authentication or choose Enterprise Single Sign-On (SSO) via Office365. Both methods support end-user and agent authentication.


Password Policy

In addition, our password policy strengthens account protection. Passwords must contain at least 8 characters, including lower case, upper case, a number, and a special character.


2-Factor Authentication (2FA)

Moreover, d2o’s native authentication supports 2-Factor Authentication (2FA) for BRE, agents, and admins. Users can verify via SMS or an authenticator app, adding an extra layer of security.


Service Credential Storage

Finally, d2o follows industry best practices for secure credential storage. Passwords are never stored in human-readable format but only as the result of a secure, salted, one-way hash.

Additional product security feature

Role-Based Access Controls

Access to data within PMI applications is managed through role-based access control (RBAC). Administrators can configure granular permissions to ensure the right people have the right level of access. PMI supports multiple user roles, including owner, admin, agent, and end-user.


Audit Logs

In addition, d2o provides comprehensive audit logs. These logs track account changes, user activity, and system settings. A redacted audit log is available within PMI for each customer, while full production audit logs are maintained within the Azure framework for maximum compliance and traceability.


Redaction

Moreover, d2o employs manual redaction to safeguard sensitive data. This process allows confidential information to be removed or anonymized, protecting user privacy. When enabled, redaction anonymizes usernames and activities across logs and database entries. This feature supports GDPR compliance and ensures historic data is also securely managed.

HR Security

Security awareness

Policies

To strengthen information security, d2o has developed a comprehensive set of policies covering a wide range of topics. These security policies are accessible to all employees and contractors who handle PMI information assets, ensuring consistent standards across the organization.


Training

Furthermore, every employee participates in Security Awareness Training upon hire and again each year. Engineers also complete annual Secure Code Training to stay aligned with best practices. In addition, the Security Team regularly shares updates through emails, blog posts, and internal presentations to reinforce awareness and highlight new threats.

Employee vetting

Background Checks

As part of our commitment to security, d2o conducts background checks on all new employees in compliance with local laws. These checks also apply to contractors. Specifically, the process includes criminal record screening, education verification, and employment history verification.


Confidentiality Agreements

In addition, all new hires must sign Non-Disclosure and Confidentiality Agreements. These agreements ensure that sensitive information remains protected from day one.

Privacy related policies

Development security controls

Framework

To support secure development, d2o uses Azure DevOps, which provides developer services that allow teams to plan work, collaborate on code development, and build and deploy applications.


Quality Assurance

Furthermore, d2o applies strict code deployment controls within the DevOps lifecycle, including Code Review and Staging Deployment. The development team in Eastern Europe (EEU) reviews and approves all code before it is released to Production


Separate environments

In addition, Development and Production environments remain fully separated in different Azure regions, ensuring both geographical and network isolation. Access is strictly role-based (RBAC), while higher-level permissions require two-factor authentication (2FA) and VPN gateways.

What information is collected?
When you express interest in learning more about the Services or register to use them, d2o asks you to provide basic personal details such as your name, company name, address, phone number, and email address (“Required Contact Information”).

In addition, as you browse d2o’s websites, information may be collected through commonly used tools like cookies. These help improve functionality and enhance the user experience.

Furthermore, when you register for or attend corporate events, d2o requests essential contact details along with information related to your participation through its websites.


PMI Solution Integration (Client Specific Source Data)

The Company may, on Clients request, collect Source System Data from Clients or Client specific Integration Partners or Systems. Source System Integration may be with systems such as:

    • Points of Sale (POS)
    • F&B Reservation Systems (FRS)
    • Table Reservation System (TRS)
    • Time Keeping/Management System (TKS/TMS)
    • Property Management System (PMS)
    • Revenue Management System (RMS)
    • Sales & Catering Management System (S&C)
    • Accounting Management System (AMS)

Source data integration is important for Clients in order for specific PMI products and Services to work optimally. Source data is encrypted after import when stored for backup.


PMI Account

The Company directly collects information when you are:

    • enrolled as a PMI user (name, username, email address, title and employee number)
    • actively editing and submitting information within your specific PMI portal
    • submit a support request

The way to have an account removed is to send an email to support@d2o.com with the username and/or email address of the user(s) you would like to be removed. d2o will only honor account removal requests from known contacts at client organisations. If the removal, due to database dependencies, is not possible the username in question will be else anonymized.

Web site cookies
d2o uses cookies to make interactions with its websites easier and more meaningful. When you visit d2o.com, our servers send a cookie to your device. By themselves, cookies do not personally identify you—they simply recognize your browser. Unless you choose to identify yourself (for example, by responding to a promotional offer, opening an account, or submitting a form), you remain anonymous.

We use both session-based and persistent cookies:
• Session cookies exist only during your visit. They disappear when you close your browser or turn off your device.
• Persistent cookies remain even after you close your browser. These help us remember your preferences across visits.

Keep in mind: If you disable cookies in your browser, you can still navigate the site, but some services may not function as intended.


Essential Cookies

Also called “strictly necessary” cookies, these enable core site functions. For example, they remember your preferences as you move between pages, ensuring you can use key features smoothly.


Analytics Cookies

These cookies track visits and user behavior so we can improve content, measure performance, and test new features. For example, they capture how long visitors stay, which pages they view, and which site referred them.


Functionality or Preference Cookies

These remember choices you make—such as username, language, or region. They personalize your experience, so you don’t need to reset preferences every time you return.


IP Addresses and Social Media Features

Our websites include third-party social media features (e.g., the Facebook “Like” button) and widgets such as “Share This.” These may collect your IP address, note which page you are visiting, and set a cookie to enable proper function. Your interaction with these tools is governed by the third party’s privacy policy.

International transfer of information collected
d2o primarily stores client and attendee data in Norway. However, to support our global operations, we may also transfer and access this information from other countries where we operate. For transparency, you can view our list of global offices [here].

Importantly, this privacy statement applies at all times—even when d2o transfers client or attendee data across borders.

Third party links
From time to time, we may choose to feature third-party products or services on our website. These external sites operate under their own independent privacy policies. Therefore, d2o is not responsible or liable for the content or activities of any linked site.

However, we remain committed to protecting the integrity of our website. We also welcome your feedback if you encounter concerns about these third-party sites.

GDPR Compliance

Europe General Data Protection Regulation (GDPR)

Our GDPR Commitments

At d2o, we fully embrace the principles of the General Data Protection Regulation (GDPR). Today, we support more than 500 customers and 5,000 end-users in over 10 countries—and growing.

Our service agreement gives customers a license to access and use PMI, delivered as SaaS. In providing this service, customers entrust us with processing non-sensitive personal data submitted and stored by their end-users.

As a SaaS provider, we are committed to offering features that help customers meet their GDPR obligations, including the rights of data subjects (Art. 13–22). If customers cannot fully meet their GDPR duties through PMI alone, they can trust that—whenever legally permitted and commercially reasonable  d2o will assist in handling data subject enquiries.

Equally important, we pledge to:

  • Apply strong technical and organizational practices so that personal data is always processed securely (Art. 5(1)(f)).
  • Demonstrate compliance and take accountability for GDPR-related tasks and responsibilities entrusted to us.
  • Uphold the spirit of GDPR by acknowledging that no Data Processing Agreement relieves us, as Processor, of our direct duties and liabilities (Art. 29).


PMI only allows non-sensitive personal data to be processed

PMI only allows the processing of non-sensitive personal data. Customers can process limited information such as:

  • First and last name
  • Email address
  • Job title and employee number
  • Payroll cost (encrypted both in motion and at rest)

The categories of data subjects are strictly limited to PMI system end-users and employees.

By focusing on these narrow data categories—and through robust technical and organizational measures—d2o ensures GDPR compliance and strengthens data protection for all customers. For more details about d2o GDPR orientation click here.

Personal data access outside EEA

d2o complies with GDPR and EDPB recommendations:

  • d2o does not move data outside EU
  • Encryption of personal data which technically prevent all d2o processors outside EEA to identify natural persons (be it on screen, print screen or otherwise)
  • The privileges are managed by authorized personnel based within EEA

Legal Information

Agreements

Our agreements and policies provide our customers and partners transparency and detailed information about d2o’s Services, which in turn support our customers in meeting their own legal and compliance standards.

Third party disclosure

Service Providers

d2o may share client and attendee data with contracted service providers so they can deliver services on our behalf. However, unless stated in this Privacy Statement, we do not sell, rent, or trade personal information with third parties for promotional purposes.


Affiliates

We may also share client data within the d2o corporate group. For example, this helps us with customer relationship management and support.


Business Partners

From time to time, d2o partners with other companies to jointly offer products or services. If you purchase—or show interest in—a jointly offered service, we may share relevant client data with our promotion partners. However, these partners follow their own privacy policies. If you prefer not to share your information, simply choose not to purchase or express interest in these joint offerings.


Third Parties

This Privacy Statement explains the information we collect through our websites and what we may share with third parties. Importantly, d2o does not authorize third parties to collect personal information through advertising technologies on our sites. Likewise, we do not share such information with outside parties, except as outlined here.


Compelled Disclosure

Finally, we may use or disclose information if required by law. We may also do so if we reasonably believe it is necessary to protect d2o’s rights or to comply with a judicial proceeding, court order, or other legal process.

Unlock your full potential!

Power your team with PMI.

Moreover, manage your productivity

in new and insightful ways!